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(54) System and method tor protection of digital works 



(57) A method of protecting a digital work uses a 
blind transfomiation function to transfomri an encrypted 
digital work into encrypted presentation data. The orig- 
inator's digital content is protected in its original fomn by 
not being decrypted. This method enables the rendering 
or replay application to process the encrypted document 
into encrypted presentation data without decrypting it 



first. Encrypted presentation data is then decrypted just 
before it is displayed to the user. The blind transforma- 
tion function is a function of the original transfomnation 
function. For example, the blind transformation function 
may be a polynomial ot the original transfomnation func- 
tion. Alternatively, both the blind transformation function 
and the original transformation function may be any mul- 
tivariate, integer coefficient affine function. 
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Description 
Copyright Notice 

5 [0001 ] A portion of the disclosure of this patent docunnent contains materiai which is subject to copyright protection. 
The copyright owner has no objection to the facsimiie reproduction by anyone of the patent docunnent or the patent 
disclosure as it appears in the Patent and Trademark Office ftie or records, but otherwise reserves all copyright rights 
whatsoever. 

10 Related Application 

[0002] This application is a continuation-in-part application of application no. 09/1 78»529 filed October 23, 1998. 
Field of the Invention 



[0003] The invention relates to document rights management, and more particularly, to a method for protecting digital 
worths which employs a blind transformation to transfomn encrypted digital works Into encrypted presentation data. 

Background of the Invention 

20 

[0004] One of the most important issues impeding the widespread distribution of digital documents or works via 
electronic commerce is the current lack of protection of the intellectual property rights of content owners during the 
distribution and use of those digital documents or works. Efforts to resolve this problem have been termed "Intellectual 
Property Rights Management" ("IPRM"), "Digital Property Rights Management" ("DPRM"), "Intellectual Property Man- 
25 agement" ("IPM"), "Rights Management" ("RM"), "Digital Rights Managemenr ("DRM") and "Electronic Copyright Man- 
agement" CECM"). At the core of Digital Rights Management is the underlying issue of ensuring that only authorized 
users may perform operations on digital documents or works that they have acquired. Once accessed, the content 
must not be distributed or used in violation of the content owner's specif teation of rights. 

[0005] A document or work, as the temn is used herein, is any unit of Infomnation subject to distribution or transfer, 
30 including but not limited to correspondence, books, magazines, journals, newspapers, other papers, software, photo- 
graphs and other images, audio and video clips, and other multimedia presentations. A document may be embodied 
in printed fonm on paper, as digital data on a storage medium, or in any other known manner on a variety of media. A 
digital work, as the term is used herein, is any document, text, audio, multimedia or other type of woric or portion thereof 
maintained in a digital fonn that can be replayed or rendered using a device or a software program. 
35 [0006] In the worid of printed documents, a wori< created by an author is usually provided to a publisher, which 
fomnats and prints numerous copies of the work. The copies are then sent by a distributor to bookstores or other retail 
outlets, from which the copies are purchased by end users. 

[0007] While the low quality of copying and the high cost of distributing printed material have sensed as deterrents 
to the illegally copying of most printed documents, it is far too easy to copy, modify, and redistribute unprotected elec- 
40 tronic documents. Accordingly, some method of protecting electronic documents is necessary to make it harder to 
illegally copy them. This will serve as a deten-ent to copying, even If it is still possible, for example, to make hardcopies 
of printed documents and duplicate them the old-fashioned way 

[0008] With printed documents, there is an additional step of digitizing the document before it can be redistributed 
electronically; this serves as a deten-ent. Unfortunately, it has been widely recognized that there is no viable way to 
45 prevent people from making unauthorized distributions of electronic documents within current general-purpose com- 
puting and communications systems such as personal computers, workstations, and other devices connected over 
local area networks (LANs), intranets, and the Internet, Many attempts lo provide hardware-based solutions to prevent 
unauthorized copying have proven to be unsuccessful. 

fOOO?'' Two basic Fchempr hnvp been employed to attempt 1c rotve thf drrnmpnl protection problom: f ectire con- 
laliieii (sysiems wiilcti leiy on ciypiograpitic niecliantsnis) anaiiusteo systemi. 

[0010] Cryptographic mechanisms encrypt (or "encipher") documents that are then distributed and stored publicly, 
and ultimately privately decrypted by authorized users. Cryptographic mechanisms provide a basic fonn of protection 
during document delivery from a document distributor to an intended user over a public networic, as well as during 
document storage on an insecure medium. Many digital rights management solutions rely on encrypting the digital 
55 work and distributing both tl*ie encrypted message and decryption key to the consumer's system. While different 
schemes are employed to hide the decryption key from the consumer, the fact remains that all necessary information 
is available for a malicious user to defeat the protection of the digital work. Considering that current general-purpose 
computers and consumer operating systems provide little in the way of sophisticated security mechanisms, the threat 
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is both real and obvious. • * ^ 

[0011] A "secure container (or simpty an enciypted document) offers a way to keep document contents encryptea 
until a set of authorl2ation conditions are met and some copyright temis are honored (e.g.. payment for use). After the 
various conditions and terms are verified with the document provider, the document is released to the user in clear 
5 form Commercial products such as IBI^'s Cryptolopes and InterTrust's Digiboxes fall into this category. Clearly, the 
secure container approach provides a solution to protecting the document during delivery over insecure channels, but 
does not provide any mechanism to prevent legiUmate users from obtaining the clear document and then using and 
redistributing it in violation of content owners' intellectual property. 

[001 21 Cryptographic mechanisms and secure containers focus on protecting the digital work as it is being transferred 
10 to the authorized user/purchaser. However, a digital work must be protected throughout its use from malicious users 
and malicious software programs. Even if a user is a trusted individual, the user's systemmay be susceptible to attack. 
A significant problem facing electronic commerce for digital worths is ensuring that the work is protected on the target 
consumer's device. If the protection for the digital woric is compromised, valuable and sensitive infonmation is tost. To 
complicate matters, today's general-purpose computers and consumer operating systems are deficient in the areas of 
15 security and integrity. Protecting the work throughout usage is a much more complex issue that remains largely un- 

[0013] In the Irusted system" approach, the entire system is resppnsible for preventing unauthorized use and dis- 
tribution of the document. Building a trusted system usually entails introducing new hardware such as a secure proc- 
essor, secure storage and secure rendering devices. This also requires that ail software appficalions that run on trusted 
20 systems be certified to be trusted. While building tamper-proof trusted systems is still a real challenge to existing 
technologies, current market trends suggest that open and untrusted systems such as PC's and woricstations will be 
the dominant systems used to access copyrighted documents. In this sense, existing computing environments such 
as PC s and wort<8tattons equipped with popular operating systems (e.g., Windows and UNIX) and render applications 
(e.g., Microsoft Word) are not trusted systems and cannot be made trusted without significantly altering their architec- 
ts tures. ... 
[001 4] Accordingly, although certain trusted components can be deployed, users must continue to rely upon vanous 
unknown and untrusted elements and systems. On such systems, even if they are expected to be secure, unanticipated 
bugs and weaknesses are frequently found and exploited. 

[0015] Conventional symmetric and asymmetric encryption methods treat messages to be encrypted as basically 
30 binary strings. Applying conventional encryption methods to documents has some drawbacks. Documents are typically 
relatively long messages; encrypting long messages can have a significant impact on the perfomiance of any appli- 
cation that needs to decrypt the document prior to use. More importantly, documents are formatted messages that rely 
on appropriate rendering applications to display, play, print and even edit them. Since encrypting a document generally 
destroys formatting information, most rendering applications require the document be decrypted into clear form before 
35 rendering it. Decryption prior to rendering opens the possibility of disclosing the document in the clear after the de- 
cryption step to anyone who wants to intercept it. 

[001 61 There are a number of issues in rights management: authentication, authorization, accounting, payment and 
financial clearing, rights specification, rights verification, rights enforcement, and document protection. Document pro- 
tection is a particularly important issue. After a user has honored the rights of the content owner and has been permitted 
40 to perform a particular operation with a document (e.g., print it, view it on-screen, play the music, or execute the 
software), the document is presumably in-the-clear, or unencrypted. Simply stated, the document protection problem 
is to prevent the content owner's rights from being compromised when the document is in its most vulnerable state: 
stored, in the clear, on a machine within the user's control. 

[0017] Even when a documem is securely delivered (typically in encrypted fomi) from a distributor to the user, it must 
45 be rendered to a presentation data form before the user can view or othenwise manipulate the document. Accordingly. 
10 achieve the highest ievei of protection, it is important to protect the document contents as much as possible, whiie 
revealing Ihem to the user al a iale stage and in a lorm that is dilficuil lo lecover into a useful form. 
(OOlfl-. inlhft known fippK..;;ci.^-r tr Riecironic docunv-n; riririi iHior, !h£i r-h-.r toy cvnco'iMior. an enciypted document 
is rendered in several separate steps. First, the encrypted document is received by the user. Second, the user employs 
50 his private key (in a public key cr/ptosystem) to decrypt the data and derive the document's clear content. Finally, the 
clear content is then passed on to a rendering application, which translates the computer-readable document into the 
finished document, either for viewing on the user's computer screen or for printing a hardcopy. The clear content is 
required for rendering because, in most cases, the rendering application is a third-party product (such as Microsoft 
Word or Adobe Acrobat Reader) that requires the input document to be in a specific format. It should be appreciated, 
55 then that between the second and third steps, the previously protected document is vulnerable. It has been decrypted, 
but is still stored in clear electronic fomi on the user's computer. If the user is careless or is otherwise motivated to 
minimize fees, the document may be easily redistributed without acquiring the necessary pemnissions fronn the content 
owner. 
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[001 9] While no system is completely spoof proof or immune to attack, some recent techniques protect digital works 
by limiting use of the digital worl< to a user-specified physical device. These techniques require the user to provide 
private information or system state infomnation from the system or physical device the user intends to use to render 
the digital work. System state information is typically defined as system configuration infonmation such as system 

5 parameters, CPU identifier, device identifiers. NIC identifiers, drive configuration, etc. In these techniques, the digital 
content is encrypted using a session key, then the session key, rather than using the user's encryption key. is encrypted 
using a combination of the system or state infomnation and the user's credentials. Then both the encrypted content 
and key are transmitted to the destination repository. In order to use the received encrypted work, the user must contact 
a tnasted authorizing entity (usually a remotely located software program) whteh verifies the user's identity and cre- 

10 denttais, then together with system state, decrypts the session key and finally decrypts the content for use. 

[0020] Commercial applications such as the secure Adobe Acrobat reader and the secure Microsoft MediaPlayer 
validate usage of the digital work by checking a license voucher for the appropriate user credentials and usage rights. 
Among the user credentials are system device identifiers such as the CPU identifier or certain device serial numbers. 
At the time the user invokes an operation on the digital work, the application verifies if the specified device is present. 

15 This provides assurance that the digital work has not been transmitted to an unauthorized user (actually to an unau- 
thorized device). While the programmatic check provides a minimal level of assurance, it depends on the security of 
the secret, which resides on the user's device. Not only can the decryption key be violated, but also the device Identifiers 
themselves are partbutarly susceptible to the threat of spoofing. 

[0021] The Acrobat Reader and MediaPlayer protection schemes operate by allowing the rendering application to 

20 identify required devices on the user system as specified in the license voucher issued for the digital work. This provides 
a level of protection adequate in many circumstances (i.e., if the user is trusted and the user's specified rendering 
device is not susceptible to attack). The weakness of the schemes is that it is based on the assumption that neither 
the protection of the cryptographic key nor the integrity of the license voucher will be compromised. 
[0022] These techniques are really more of an authentication technique than a protection technique, in that once the 

25 user's Identity and credential infomnation, system state infomnation is verified or license voucher received, the content 
is decrypted to its clear state and then becomes vulnerable to attack. The digital work is afforded no protection through- 
out usage. Further, the user information approach Is problematic in that it assumes the user will be sufficiently deterred 
from passing along his/her personal information. In other words, for the user infomnation approach to succeed there 
must be severe consequences for users who would reveal their private identity and credential Information. 

30 [0023] A significant drawback to the schemes which tie authorization a specific device is that they require the user 
to divulge sensitive information (e.g., CPU number or other personal information) which raises a concern regarding 
privacy issues. While the user divulges the infomnation voluntarily (the user's only option if he/she does not wish to 
divulge this information is not to receive the digital wori<) it would be desirable to provide a protection scheme that 
could secure a digital work on a user's device without requiring private infomnation. It would also be desirable to provide 

35 a DRM solution which does not rely on the protection of the cryptographic key or the integrity of the license voucher. 
It would be desirable to provide a DRM solution which delayed decryption of the dig'rtal content to the latest possible 
moment. 

[0024] Accordingly, it would be beneficial to provide an electronic document distribution scheme that minimizes the 
disadvantages of known systems. Such a scheme would prevent users from obtaining a useful fomn of an electronicatly- 
40 distributed document during the decryption and rendering processes. 

Summary of the Invention 

[0025] A self-protecting document ("SPD"), according to the invention, is not subject to the above-stated disadvan- 
45 tages of the prior art. By combining an encrypted document with a set of permissions and an executable code segment 
that includes most of the software necessary to extract and use the encrypted document, the self-protecting document 

accomplishes prolection of documenl contents without the need for additional hardware and software. 
[0026] The SPD system is broken down between a contenl creator (Bnalogous to the author and the publisher of the , 
iraclitional modern and n content dirtrihntrr. Thf aiithor/puhliFher r.rf*r;m5 Ihr- f-rininp.l rtrrnmenl, r.nr' decidpf whp/. 
i>£ lictlHt- ^(t 10 be permitted. "I ut aistfiDutoi men custonnizes the oocurnent loi use Dy various users^nsuring via the 
customization that the users do not exceed the pennissions they purchased. 

[0027] At the user's system, the self-protecting document is decrypted at the last possible moment. In an embodiment 
of the invention, various rendering facilities are also provided within the SPD, so that the use of the SPD need not rely 
upon external application that might not be trustworthy (and that might invite unauthorized use). In an alternative em- 
55 bodiment, interfaces and prptocols are specified for a third-party rendering application to interact with the SPD to 
provide trusted rendering. 

[0028] In one embodiment of the invention, the encrypted document is decrypted by the user's system while simul- 
taneously "polarizing" it with a key that is dependent, at least in part, on the state of the user's system. The polarization 
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may be cryptograph ically less secure than the encryption used for distribution, but serves to deter casual copying. In 
this embodiment, depolarization is perfomned during or after the rendering process, so as to cause any intemiediate 
form of the document to be essentially unusable. 

[0029] In another embodiment of the invention, a method of protecting a digital worit uses a blind transfomiation 

5 function to transform an encrypted digital wori< into encrypted presentation data. The originator's digital content is 
protected in its original form by not being decrypted. This method enables the rendering or replay application to process 
the encrypted document into encrypted presentation data without decrypting It first. Encrypted presentation data is 
then decrypted just before it is displayed to the user. This method improves the overall perfomiance of the process 
(both decryption and rendering) by minimizing the decryption overhead (since pre-rendering decryption is generally 

10 more time and resource consuming) and postponing the decryption to a late stage of the rendering process. 

[00301 Blind transformation or blind computing can be accomplished in one of several ways. Most digital works include 
formatting Infomiation. which when encrypted cannot be processed by the replay or rendering application (the trans- 
formation function which transforms a digital work into presentation data). If the digital wori< is encrypted with a fomnat 
preserving encryption scheme, any transformation function may be used. This is particularly useful in that any com- 

15 mercial replay or rendering application can process the encrypted digital work Into encrypted presentation data. Oth- 
erwise the blind transformation function is a function of the original transformation function. For example, the blind 
transformation function may be a polynomial of the original transfomnatlon function. Alternatively, both the blind trans- 
formation function and the original transformation function may be any multivariate. Integer coefficient affine function. 
[0031] Not all encryption schemes are format preserving encryption schemes. Additive encryption schemes may be 

20 used with all document types and all associated transformation functions. In some replay or render applications, for 
some types of documents, portions of the format Information may be left in the clear. In other types of documents all 
of the format information may be encrypted. In some types of documents, an additive encryption scheme may be used 
to encrypt the format information and any encryption scheme may be used to encrypt the content or data portion of 

the document. . , ^ * 

25 [00321 In particular, additive encryption schemes can be used to encrypt coordinate information of documents so 
that some rendering transformations can be perfomned on the encrypted coordinate data. In a special class of docu- 
ments token-based documents, for example, there are two places during the fomiat-preserving encryption that use 
encrytition schemes: one is for coordinate or location information x and y of the particular tokens within the document, 
and the other is for the dictionary of individual token images. In order to pertomi blind transformation on the individual 
30 coordinates of the particular tokens in the document, the first encryption scheme must be an additive encryption 
scheme. However, the token dictionary may be encrypted with any encryption scheme. 

[0033] An encrypted token dictionary may still leak information such as the sizes of the token images. If this is a 
concern (such as if the token dictionary is small), the tokens can be padded with some extra bits before encryption. 
The padding can result in encrypted token images of a same size or several fixed sizes. For a token-based document, 
35 the coordinate information of the tokens in the dictionary may not be encoded. If it is desired that coordinate inf omnation 
be encoded, say, as Huffman codewords, the same approach that is used to encrypt the identifiers can be used to deal 
with this situation. Basically, the codewords In location tables are left in the clear, and the codewords in the codeword 
dictionary are hashed using some one-way hash function and their con-esponding coordinate information is encrypted. 
During rendering the codewords in the location tables are first hashed and then used to lookup their encrypted coor- 

40 dinate information, . , ^. ^ 

[00341 1 n another embodiment of the invention, a digital work and a system context (or resource inf omnation or system 
resource) are polarized enabling trusted rendering or replay of the digital worK without depolarization of the digital 
content In this embodiment, the digital work is of the type which includes digital content and resource information. 
Resource infomiation may include intomiaiion used by a replay application to fomiat or process the digital work into 

45 presentation data. Resource information may Include, for example, a collection of system resources available to the 
replay sofiware on a particular sysiem. such as the Font Table. Color Patene, Sysiem Coordinaies and Volume Seuing. 
[0035] DIKerenl types ol digital works may be polarized. In addition to polafizing typical document type dtgiial woiks, 
Midi.. one vinc:c- dic.il£:i v.on:: Ci^h he pt l;.n:.^c. i lu ciioil^: v.-en m.c jyr u-.v. . m-u-;-. j.:. ryn;ilh ,Hl;.M:.6r .'i o nnc^r,* 
lecturer or content owner's location using a polarization engine. A polarization engine is a component used to transform 

50 the digital worit and system context to their respective polarized fomns. The polarization engine employs a polarization 
scheme which relies on some polarization seed, an element used to initialize and customize the polanzatlon engine. 
[0036] Various polarization schemes may be used to polarize a digital wori<. For example, a stateless polanzatton 
employs a random number as a seed to transfomi a digital wori< into a polarized digital woric. A state-based polanzation 
scheme employs a seed based on a system state or characteristic of a system to transform a digital woric into a polarized 

55 digital woric that is associated with that system state or characteristic. A dynamic state-based polarization scheme 
employs a seed based on a dynamic system state or characteristic to transform a digital wori< into a polanzed digital 
woric In this embodiment, the polarized digital work will typically be provided with a polarization engine for repolanzing 
the encoded digital woric and the encoded system context according to the dynamic state-based polarization scheme 
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each time the system requests replay of the digital work. An authorization-based polarization scheme employs a seed 
based on authorization infomnation received from a trusted source to transfonn a digital work into a polarized digital 
work. For further security, the polarized system context can be stored separately from the polarized digital work in a 
removable context device, which must be coupled to the system prior to use of the digital work. 

5 [0037] Preferably the polarization seed contains infomnatton which can be used to tie the partbular digital work to 
the ultimate end user or an ultimate end user system. Typically the owner or distributor will select the type of polarization 
scheme to be used in polarizing the digital work and the type of polarization key to use depending on the value of the 
digital wori<. Like encryption schemes, polarization schemes come in different levels of complexity and strength. When 
a digital work is ordered, a copy of a portion of the digital work's resource information, called the system context, is 

10 made. The polarization seed is selected and both the digital work and the system context are polarized. A different 
polarization scheme may be used for the system context than is used for the digital work. However the polarization 
seed is the same for both. The polarized digital work and polarized system context are then provided to the user for 
replay or rendering on a replay or rendering system. 

[0038] In the format preserving encryption and trusted rendering embodiment of the invention, protection is provided 
IS until the encrypted presentation data must be decrypted into clear presentation data. In this embodiment of the inven- 
tion, the replay application uses the poiarized resource information to transfomn a polarized digital work into clear 
presentation data. 

[0039] If only the digital content of a digital work is polarized, leaving the resource Information unpolarlzed or In the 
clear, the replay application will be able to process the polarized digital work into poiarized presentation data. This 

^0 means a depolarizer must depolarize the presentation data into clear presentation data suitable for viewing or use by 
the user. If a portion of a digital woric's resource information Is also polarized accordingly, when the replay application 
transfonms the polarized digital work, the replay application uses the polarized system resource information to transform 
the polarized digital work into clear presentation data. All or Just a portion of the required resource Information may be 
polarized. The replay is blind in that the replay application does not see the original, unpolarized digital content. 

25 [0040] I n this embodiment, a polarized digital woric is transformed by the replay application using a polarized system 
context (resource information) to create clear presentation data; the replay application can be any commercial or third 
party application. The replay application need not be customized to depolarize the presentation data and no depolarizer 
engine is required. The replay application operates as a blind replay system (it processes polarized digital content 
using polarized system resources) and relies on a type of polarization which transfonns or encodes the digital woric 

30 such that the ability to replay it using a software program or device is tied to a specific resource infomnation, thus 
protecting the content throughout use. 

[0041] Unlike systems which employ encryption to protect the digital work and eventually decrypt the digital woric 
into its dear fonm before the digital work is provided to the replay application, the blind replay system keeps the digital 
woric encoded in the polarized fonri (there is no explicit decoding step in the blind reply) until the last possible moment 

35 of the replay process. In the blind replay system, the polarized digital work itself Is never depolarized In the clear. Since 
presentation data is generally of a lesser quality than the original digital work, even If the presentation data is captured 
in its clear form, it cannot be easily (if at all) transfonmed back into the original digital work. 
[0042] Many different types of digital worics and their resource infomnation may be polarized and replayed in a blind 
replay system. Digital works such as documents, text, audio files, graphics files and video files may be replayed in the 

40 blind replay system of the invention by polarization of an appropriate resource Infomnation. 

Brief Description of the Drawings 

[0043] The structure and function of the invention is best understood with reference to the included drawings, which 
45 nriay be described as follows: 

FIGURE 1 is a top-level block diagram representing a model for the creation and commercial distribution of elec- 
tronic documents In either secure or insecure environments; 

FIGURE ? i? r. (low cUnpiKn. illurlralinp thp deriyptir ri rf r irlr-ner' Flfrdir-nir dorumentf according to the art; 
it FIGURE 3 is a llow diagrann illustrating the decryption o1 protected electronic documents according to a simple 

embodiment of the invention; 

FIGURE 4 is a flow diagram illustrating the decryption of protected electronic documents according to a preferred 
embodiment of the invention; 

FIGURE 5 is a functional block diagram illustrating the data structures present in a self-protecting document ac- 
55 cording to an embodiment of the invention; 

FIGURE 6 is a flow diagram illustrating the creation and customization of a self-protecting document according to 
an embodiment of the invention; 

FIGURE 7 is a flow diagram, from a user's perspective, illustrating the actions perfomaed in handling and using a 
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self-protecting document according to the Invention; 

FIGURE 8 Is a graph illustrating several possible paths between an unrendered and encrypted document, and 
rendered and decrypted presentation data: . 
FIGURE 9 Is a flow diagram illustrating a polarization process according to the invention in whtch document tomnai 
5 inlomnatton remains in the clear for rendering. . ^- ♦ tu 

FIGURE 1 0 is a block diagram of a method of fomnat preserving encryption and trusted rendenng according to the 

invention; 

FIGURE 11 is a simple example of a document to be tolcenized; 
FIGURE 12 is the token dictionary for the document of Fig. 11; 
w FIGURE 13 is the location table for the document of Fig. 11; 

FIGURE 14 is a block diagram illustrating a process for generating a polarized digital work and polarized system 
resource according to the invention; 

FIGURE 15 is a block diagram illustrating the conversion of a digital work into image data according to the art; 
FIGURE 16 is a block diagram illustrating a system for blind replay of a polarized digital work according to the 

75 jg a block diagram illustrating another system of blind replay of a polarized digital work according to 

the invention; 

FIGURE 18 is a block diagram of an example structure of a digital document; 
FIGURE 19 is an example digital document; 
20 FIGURE 20 is an example of the digital document of Fig. 16 after it has been polarized; 

FIGURE 21 is block diagram of an example structure of a resource information or system context for a digital 
document; 

FIGURE 22 is a block diagram of an example font table; and 

FIGURE 23 is block diagram of the font table of Fig. 22 after it has been polarized. 
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Detailed Description of the Preferred Embodiments 



[00441 The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that 
the invention can be embodied In a wide variety of fonns, some of which may be quite different from those of the 
30 disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely rep- 
resentative and do not limit the scope of the invention. 

[0045] Figure 1 represents a top-level functional model for a system for the electronic distribution of documents, 
which as defined above, may Include correspondence, books, magazines, ioumals. newspapers, other papers, soft- 
ware, audio and video clips, and other multimedia presentations. 

35 [00461 An author {or publisher) 110 creates a document's original content 112 and passes il to a distributor 114 for 
distribution Although it is contemplated that the author may also distribute documents directly without involving another 
party as a distributor, the division of labor set forth in Rgure 1 is more efficient, as it allows the author/publisher 1 1 0 to 
concentrate on content creation, and not the mechanical and mundane functions taken over by the distnbutor 114. 
Moreover, such a breakdown would allow the distributor 1 1 4 to realize economies of scale by associating with a number 

40 of authors and publishers (including the illustrated author/publisher 110). 

[0047] The distributor 114 then passes modified content 116 to a user 118. In a typical electronic distribution model, 
the modified content 116 representsan encrypted version of the original content 112; the distributor 114 encrypts the 
original content 112 with the user 118's public key, and modified content 116 is customized solely for the single user 
1 1 B. The user 1 1 8 is then able to use his private key to decrypt the modified content 1 1 6 and view the onginal content 

[0048] A payment 1 20 lor the content 1 1 2 is passed Jrom the user 11 8 lo the disiribuior 1 1 4 by way ol a clearinghouse 
122 The clearinghouse 122 collects requesis Irom the user 116 and Irom other users who wish lo view a pariicular 

cic...ii..(^.(n. if.0 c;iearlr.al.i..uto 1^: .1: r c.nli^vvi: pi^HY.er.i ini(>nHj:iK-<., m.^... ; : c-M: hm".: mCI ^, rro-diu^ar! Ir;;n5 J:f • 

tions or other known electronic payment schemes, and lonwards the collected users" payments as a payment batch 

so 1 24 to the distributor 1 1 4. Of course, it is expected that the clearinghouse 1 22 will retain a share of the user's payment 
120 In turn the distributor 114 retains a portion of the payment batch 124 and forwards a payment 126 (including 
royalties) to'the author and publisher 110. In one embodiment of this scheme, the distributor 114 awaits a bundle of 
user requests for a single document before sending anything out. When this is done, a single document with modified 
content 11 6 can be generated for decryption by all of the requesting users. This technique is well-known in the art. 

55 [0049] In the meantime, each time the user 1 1 8 requests (or uses) a document, an accounting message 1 28 is sent 
to an audit server 130. The audit server 1 30 ensures that each request by the user 118 matches with a document sent 
by the distributor 114; accounting information 131 is received by the audit server 130 directly from the distnbutor 114. 
Any inconsistencies are transmitted via a report 132 to the clearinghouse 122. whteh can then adjust the payment 
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batches 124 made to the distributor 114. This accounting scheme is present to reduce the possblltty of fraud in this 
electronic document distribution model, as well as to handle any time>dependent usage pennissions that may result 
in charges that vary, depending on the duration or other extent of use. 

[0050] The foregoing model for electronic commerce in documents, shown In Figure 1 , Is In common use today. As 
5 will be shown in detail below, it is equally applicable to the system and method set forth herein for the distribution of 
seif-prbtectTrig'dcScunrients'. ~ 

[0051] Turning now to Figure 2, the steps perfomned by the user 118 (Figure 1) In a prior art system for electronic 
document distribution are shown. As discussed above, cryptographic mechanisms are typically used to encipher doc- 
uments. Those encrypted documents are then distributed and stored publicly and deciphered privately by authorized 
10 users. This provides a basic fonn of protection during document delivery from a document distributor to an intended 
user over a public networi<, as well as during document storage on an insecure medium. 

[0052] At the outset, an encrypted document 21 0 is received by the user 118 and passed to a decfyption step 212. 
As is well known in the art, the decryption step 212 receives the user 118's private key, which is stored locally at the 
user's computer or entered by the user when needed. The document 210 is decrypted, resulting in clear content 216 
'5 similar or identical to the original content 112 (Figure 1). 

[0053] The clear content 216 is passed to a rendering application 218, which constructs presentation data 220, or 
a usable version of the document's original content 112. In typical systems of this kind, the presentation data 220 Is 
data Immediately suitable for display on a video screen, for printing as a hardcopy, or for other use depending on the 
document type. 

20 [0054] As discussed above, the document is vulnerable in systems like this. The clear content 21 6 can be copied, 
stored, or passed along to other users without the knowledge or consent of the distributor 114 or the author/publisher 
110. Even a legitimate user may be tempted to minimize the licensing fees by capturing the document In the clear in 
order to redistribute and use it at will, without honoring the Inteiiectual property of the content owners. As discussed 
above, the present invention is directed to a scheme for preventing such a user from obtaining a useful fomn of the 

25 document during the rendering process on the user's system. 

[0055] Accordingly, the system and method of the present invention sets forth an alternative scheme for handling 
encrypted documents at the user 11 8's system. A simple embodiment of this scheme is illustrated In Figure 3. 
[0056] Figure 3 looks similar to Figure 2, in that an encrypted document 310 is passed to a decryption step 312 
(which uses a private key 314) and a rendering application 316, resulting In presentation data 318. However, an addi- 

30 tional layer of protection is provided by a protecting shell 320. The protecting shell 320 allows the document 31 0 to be 
decrypted and rendered without ever leaving clear content (as in the clear content 216 of Figure 2) available to be 
intercepted. This is accomplished by including decryption and rendering elements within the document 310, as will be 
described below with reference to Figure 5. The included decryption and rendering elements are adapted to limit the 
user's interaction with the SPD, prohibiting certain operations (such as saving the document or perfonning cut-and- 

35 paste operations) according to the user's pemnissions. 

[0057] Figure 4 is a more sophisticated version. The scheme of Figure 4 includes an intennediate "polarization" step 
adapted to secure the document after. ft has been decrypted but before it is rendered. First, the encrypted document 
contents 410 are passed to a polarizer 41 2. The polarizer 412 receives the user's private key 414 and, via a decryption 
step 416, decrypts the document contents 410. Concun-ently, the polarizer 41 2 receives a polarization key 41 8 from 

40 the user's system. 

[0058] This polarization key 41 8 is used by the polarizer 41 2 to transfomn the document to a version having polarized 
contents 420. All of these operations can take place in the open, without any kind of protective mechanism, provided 
the polarizer 412 does not store a clear version of the document between decrypting it and polarizing it. 
[0059] I n one embodiment of the invention, the polarization key 41 8 represents a combination of data elements taken 

-^5 from the user's system's Internal state, such as the date and time of day, elapsed time since the last keystroke, the 
processor's speed and serial number, and any other Infomriation that can be repeatably derived from the user's system. 
It is useful to include some lime-derived information in the polarization key 418 so that interception and seizure of 
polarized contents 420 would not be useful. Further renderinci of ihe polarized document would not be possible, as the 
system lime would have chanped loo much. 

u [0060} 1 hen, once again wIiimii h pioieciing shell Ak'<i., Ihfc poiariieo conienit AkO are passed to a rendering appli- 
cation 424. As discussed above, typical rendering applications are third-party applications such as Microsoft Word or 
Adobe Acrobat Reader. However, it is likely that such external rendering applications will not be able to process the 
polarized contents 420, as the contents, any fomnatting codes, and other cues used by the renderer will have been 
scrambled in the polarization process. 

55 [0061] Hence, the rendering application 424 must be commutative (or at least fault -tolerant), or it must receive po- 
larized contents 420 that are largely complete and processable by the application. The latter possibility will be discussed 
below, in connection with Figure 9. 

[0062] The output of the rendering application is polarized presentation data 426, which has been fomnatted by the 
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rendering application 424 but Is still polarized, and hence not readable by the user, The polarized P^es^"'««»" f f 
426 te pLsed to a depolarizer 428 which receives the polarization key 418 and restores the ongmal fom, of the 
ioLment as pres^nrntton data 430. n one errbodiment of the invention, the depolarization function « combined wrth 
f fJerderingTS^^ In this case, the polarized presentation data 426 is received directly by a display 

5 devi« w2 can be separate from the user's system and receive data over a commumcat ons channel. 

?00«n' aea«on of the polarization key 418, the rendering application 418. and the depolar«at.on step 428 are all 
Snts c^^tCprlc^ng shell 422; these are tamperresistant program elements, it contemplated that all compu^ 
ttiSor trans^omiatton) steps that occur within the protecting shell 422 will use local data only and will not store 
So.^ dSa to any global^ accessible storage medium or memory area; only the explicrt results will be exported 

ro Irom protecting sheN 422. This approach will prevent users from easily modifying operatmg system entry points or 
scavenaina svstem resources so as to intercept and utilize intermediate data. „ 
ol^^l It's Se noted that the presentation data 430 of Figure 4, in alternative embodiments of the 'nvendon can 
Kher devfce independent or device dependent. In the device-independeni case, additional processing by a device 
Ssuch^a display driver or a printer driver) typically is necessary to complete the ^"f ""9 P™^"/^ "f^ 

.5 orient preferred devLdependent case, the device-specific modrtications to the presentation data have already 
b^n m?de Sher in the rendering applteation 424 or the depolarizing step 428). and the presentation data 430 can 

stSre which SThown in detail in Figure 5. As discussed above, certain operations periomjed by the system and 
.0 mSdofmeinventionrequiretnistedcomponents.Onewaytoensurethatcertainunm 

perfom, the trusted aspecte of the invention is to provide the code along with the documents. The vanous components 
of a self-orotectina document according to the Invention are illustrated in Figure 5. 
SoserThToWernof document protLti^ 

of t Jted hardware units or software modules in the user's system. This is accomplished by enhancing a documen 
.5 to be r acurr^eta-document object. Content owners (I.e.. authors or publishers) attach rights to a ^oc^me^ thm 
specifj the types of uses, the necessary authorizations and the associated fees "^f "'^ jJ^^J^"^^^^^^ 

the oermissions granted to the user. This combination of the document, the associated nghts, and the attached software 
riLur threnS the rights is the self-protecting document fSPD") of the invention. A self-proteding document 
preJems the unauthorized and uncontrolled use and distribution of the document, thereby protecting the nghts of the 

?oot^ Te Telf-protectmg document 510 includes three major functional segments: an executable code segment 
^ 2 centals cerla^ portions of executable code necessary to en^ 

and permissions segment 514 contains data structures representative of the various l^^ff '"^^^ ° ^ 

pemilZ^ various users: and a content segment 516 includes the encrypted content 116 (Figure 1) sought to be 

S Ta'p^TJrred embedment of the invention, the content segment 51 6 of the SPD 61 0 incUides three s"bsec. 
Ls:Lumentmeta-infom,ation518(lncludingbut not iimltedto the document's tltle^ o 

label infomiatlon 520 (such as a copyright notfce attached to the text, as well as nghts and permissions infomiation). 

and the orotected content 520 (the encrypted document itself). . ' '.' u 

^ [00691 in one'l'Siment J the invemion. the rights and pem,lssions segment 514 °— °" ^^jj 

autL^d user's specific rights. A list of temis and conditions may be attached to each usage ngh^ For ex^^^^^^ 

STe mS begiven the right to view apartlcular document and to print it twi« 

rights and pernissLs segment 514 identffles John Doe. assodates two rights with him (a viewing nght and a printing 
rlgirand spSres temis and conditions Including the price ($10) and a limitation on printing (tw«e). The nghts and 

43 npmiisslons seament 514 may also include information on other users. 

OoT an aTernative embodimeni, the rights and permissions segment 514 Includes only a ''"K .0 external In.or^ 
Lllo;speci.yingrightsln.orma.ion.lnsuchacBse,.heac,uBl,lgh,sandparm,ss.onsares,oiedeswee(^^^^^^^^^^^ 

the advantage that rights and pem^issions may be updated dynamically by the content owners, -ample, the price 
so ,or a view may be increased, or a user's rights may be temiinated if unauthorteed use has "een fetec^ea 

[0071] in either scenario, the rights and pemtissions segment 51 4 Is cryptographlcally signed (by '"^'^ods known 
!nTeart)topreventlamperin3Wrththe6pecinedrightsandpom,issions;itmayalsobeencwtodtopreventtheuser 

from directly viewing the rights and pemiisslons of himself and others. ...... „„„h 

[0072i exect^able Le segment 512, also called the "SPO Control,' also contains several «"''«««»<'2';^';^ 
55 S whih comprises a software module at least partially within the executable code segment in '"f/^t,^^^^^^^ 
L invention the Java programming language is used for the SPD Control; however, it « contemplated that any pim- 
rm^rdepdent or piatforni-specKlc language, either interpreted or compiled, can be used in an implementation of 
this invention. 
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[0073] A rights enforcer 524 is present to verify the user's identity, to compare a requested action by the user to 
those actions enumerated in the rights and permissions segment 514, and to permit or deny the requested action 
depending on the specified rights. The operation of the rights enforcer 524 will be discussed in further detail betow, in 
connection with Figure 7. 

5 [0074] A secured polarization engine 526 is also present within the executable code segment 51 2; It serves to read 
arid'p6lari2e~the data acxrd^rding to t^ (or other polarization key) as discussed above. In a prefen-ed 

embodiment of the invention, the polarization engine 526 acts upon the document before it is stored or decrypted, so 
the document is never stored in the clear on the user's system. The polarizatton engine 526 is secured, that Is, it is 
cryptographically signed and encrypted, to prevent tampering, reverse-engineering, and disassembling. 

10 [0075] A counterpart depolarization engine 528 Is also included to enable the generation of clear presentation data 
from the polarized content (see Figure 4). The depolarization engine includes a set of secure window objects, providing 
a relatively tamper-proof interface to the rendering API (application program interface) of the usefs system. The secure 
window objects are resistant to being intercepted, thereby reducing the possibility that the document, In its clear fonn, 
can be reconstructed by intercepting and receiving the data intended for the operating system. 

15 [0076] A counterpart depolarization engine 528 is also Included to enable the generation of clear presentation data 
from the polarized content (see Figure 4). The depolarization engine 528 provides a relatively tamper-proof interface 
to the logical or physical output device (e.g., the user's display device). The Input to the depolarization engine 528 Is 
polarized presentation data. Therefore, If that data Is intercepted, It will not reveal any of the clear content without 
further depolarization which depends on, for example, the user's system state. 

20 [0077] A secure viewer 530 is optionally included in the executable code segment 512. The secure viewer 530 is 
used to pemnit only those levels of access that are pemnitted according to the rights and permissions segment 514. 
For example, if the user purchased only sufficient rights to view a document (and not to save or print it), the viewer will 
not pemnit the user to save, print, or perform the standard cut-and-paste operations possible in most modem operating 
systems. 

25 [0078] Finally, a rendering engine 532 is included or referenced within the executable code segment 512. The ren- 
dering engine 532 need not be secure. Accordingly, the code for the rendering engine 532 can be included within the 
SPD applet, or alternatively retrieved (via a secure link) from some other location. In either case, the rendering engine 
532 is adapted to receive polarized document contents and produced polarized presentation data therefrom (see Figure 
4). 

30 [0079] The foregoing aspects and elements of the self-protecting document 510 will be discussed in further detail 
below, in conjunction with the operation of the system. 

[0080] Figure 6 shows the steps performed when a self-protecting document 51 0 is created and distributed. A generic 
SPD 610 includes no user-specific rights information and is not encrypted for any particular user. The generic SPD 
610 is created from three items: the original document content 612, in clear (unencrypted) form; a high-level rights 

35 specification 614; and an optional watemnark 616. 

[0081] The content 612 is pre-processed (step 618) to lay out the document as desired by the author or publisher. 
For example, a preferred page size, font, and page layout may be selected. The content 612 Is essentially "pre-ren- 
dered" in the content pre-processing step so that it will be in a forniat that Is compatible with users' systems and the 
SPD. For example, the content 612 may be converted from Microsoft Word (".DOC") or Adobe Acrobat (VPDF) fomnat 

40 to a different fomnat specially adapted to be read by the rendering engine 532 (Figure 5). In one embodiment of the 
irivention, multiple versions of the content 612 are generated by the content pre-processing step and stored In the 
generic SPD 61 0; those different versions may then be separately purchased by the user according to his needs. 
[0082] The high-level rights specification 614 sets forth what combinations of access rights are pennisslble. Such a 
rights specification is tailored to a particular document, and is capable of describing different groups of rights tor different 

^5 classes of downstream users. For example, a publisher may be given the right to distribute up to 1 00,000 copies of a 
document at a $1 .00 per copy royalty, with additional copies yielding a $2.00 royalty. Similarly, users may be given the 
option lo purchase a version of the documenl thai "limes oul" after one monlh. one year, or never. Several possible 
limitations are described with reference to a detailed example, which If set (onh below. 

[UUL'c. Digiif;! f-ropeny |■^i^;lll^ Language (DPHL) ri a Icangucipf tnel c'6\i t;c- usec'K,' specify rights Jor digital wori<£. 11 
50 provides a mechanism in which ditterent terms and conditions can be specified and enforced for rights. Rights speci- 
fications are represented &s statements in DPRL. For details, see, for example, U.S. Patent No. 5,715,403 to Stefik, 
entitled "System for Controlling the Distribution and Use of Digital Worite Having Attached Usage Rights Where the 
Usage Rights are Defined by a Usage Rights Grammar" Enforcement of rights and verification of conditions associated 
with rights is perfonned using the SPD technology. 
55 [0084] Different rights can be specified for different parts of a digital work using a "work" specification. Within a wori< 
specification, different sets of rights applicable to this wort< are specified. Rights can be grouped into named-groups 
called "rights groups". Each right within a rights group is associated with a set of conditions. Conditions can be of 
different types: fee to be paid, time of use. type of access, type of watennari<, type of device on which the operation 



10 

BNSDCXJID: <EP 1 14671 SA1J_> 



EP1 146 715 A1 



10 



20 



can be performed, and so on. DPRL allows different categories of rights: transfer, render rights, derivative woric nghts. 
file management rights and configuration rights. Transport rights govern the movement of a work from one repository 
to another. Render rights govern the printing and display of a work, or more general^, the transmission of a work 
through a transducer to an external medium (this includes the -export" right, which can be used to make copies in the 
clear) Derivative work rights govern the reuse of a wori< in creating new worths. File management rights govern making 
and restoring backup copies. Finally, configuration rights refer to the installation of software in repositones. 
An exemplary work specification in DPRL is set forth below: 

(Work: 

(Rigjjts-Language- Version: 1.02) 
CWork-ID: '1SDN.1-55860-166-X; AAP-2348957tun 
15 (Description: *Title: 'Zuke-Zact the Moby Dog Stoiy' 

AuthOT: 'John Beagle* 

Copyright 1994 Jones Publishing") 

(Owner (Certificate: 

(Authority: •library of Congress*') 
(ID. "Murphy Publishers*0)) 
(Parts: *Thoto-Celebshots-Dogs-23487gQ" *T>og-Breeds-Chart-AKCO 
(Comment: "Rights edited by Pete Jones, June 1996.") 
(Contents: (From: 1) (To: 16636)) 
(Rights-Group: "Regular^ 

(Comment: *This set of rights is used for standard retail editions.") 
35 (Bundle: 

(Time: (Until: 1998/OyOl 0:01)) 

. (Fee: (To: "Jones.PBLSH.18546789'0(House: "Visa"))) 

(Play: 

(Fee: (Metered: (Rate: 1.00 USD) (Pen 1:0:0) (By: 0:0:1)))) 

(Print: 

(Fee: (Per-Use: 10.00 USD)) 

(Certificate: 

(Authority: *'DPr^ 
(Type: •TrustedPrinter-6"))) 

(Watermark: 



40 
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(Watennark-Str *Title: *Zcke Zack - the Moby Dog* Copyri^t 
1994 by Zeke Jones. All Rights Reserved.*^ 
' (WatennaA-Tokens: user-id instimtionJoca^ 
render-time)))) 

10 (Transfer ) 

(Copy: (Fee: (Per-Usc: 10.00 USD))) 
(Copy: (Access: 

(User (Certificate: 

(Authority: *'Muiphy Publishers") 
(Type: "Distributor^)))) 

20 

(Delete:) 
(Backup:) 

(Restore: (Fee: (Per-Use: 5.00 USD))))) 

25 

[0085] This work specification has a riglits group called "Regular." which specifies rights for standard retail editions 
of a book titled "Zuke-Zack, the Moby Dog Story." The work specification expresses conditions for several rights: play, 
print, transfer, copy, delete, backup, and restore. The work in the example includes two other parts, a photograph and 

30 a chart of breeds incorporated from other sources. A "bundle" specification bundles a set of conmrton conditions that 
apply to all rights in the group. This specification states that all rights in the group are valid until January 1 . 1 998 and 
that the fee should be paid to account "Jones-PBLSH-1 8546789". The clearing-house for this transaction should be 
Visa. The following contract applies: the work can be played by paying $1.00 every hour, where fee is accumulated by 
the second; the work can be printed on TrustedPrinter-6 which is certified by "DPT" for a fee of $10.00 per print; the 

35 printed copy should have a watemnark string (as depicted) and a list of tokens signifying "fingerprint" infoimation known 
at the time it is printed; this work can be copied either by paying $10.00 or by acquiring a distributor certificate from 
Murphy publishing; and unrestricted transfer, deletion or backing up of this work Is permitted (restoration costs $5.00). 
[0086] The high-level rights specification 614 is also subject to a pre-processing step (step 620), In which the high- 
level (i.e., human- readable) specification is compiled into a more-efficient data structure representation for use by the 

40 invention. 

[0087] The generic SPD 61 0 is then created (step 622) by combining the pre-processed content 612, the pre-proc- 
essed rights specification 614, and the watermark 616. A watemf)ari< may be added by any means known in the art; it 
may be either visible or concealed within the SPD. The generic SPD 610 may also optionally be encrypted by the 
author/publisher 110 for transmission to the distributor 114 (Figure 1). 

45 [0088] The generic SPD 610 Is then received by the distributor 114, and Is stored for later customization. When a 
user request 624 Is received by the distributor 114 (either directly or through the clearinghouse 122 or other Interme- 
diary), the dislribulor 1 1 A creates a set of user permissions (step 626) that is consistent with both the user request 624 
and the rights specitication 614. It Ihere is no such consistent set ot permissions, then no further action is performed 
en ihBl u?er'£ behcill (oihoi ttic:!i .m* crjtionel nolitiCntiori rvifv^ f r.oc- u llic- u^er'.. 

50 [0089] The user permissiont and tiie user's public key 62b are then used to generate (step 630) a customized SPD 
632 adapted to be used by the user. The user pennissions from step 626 are stored in the rights and permissions 
segment 614 of the SPD 632, and the user's public key 628 is used to encrypt the content in the content segment 516 
of the SPD 632. A public-key encryption mechanism can be used to transform the SPD from the generic form to the 
customized SPD 632. Such a mechanism is useful if the SPD has to be confidentially transfen-ed between different 

55 parties, e.g., author to publisher to retailer to consumer, with rights protection at each stage, tt should further be noted 
that multiple user requests can be composed and accommodated within a single SPD 632; there are techniques known 
in the art that are capable of using multiple public keys to encrypt a document such that any of the users' private keys 
can be used to decrypt it. 
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[0090] The resulting custom SPD 632 is then transmitted to the user 118 by any available means, such as via a 
computer network or stored on a physical mediunn (such as a magnetic or optical disk). 

[0091] The operations performed when a user receives an SPD are depicted in the flow diagram of Figure 7. The 
SPD is first received and stored at the user's system (step 710): in many cases, it is not.necessary to use the SPD 

5 right away When usage is desired, the user is first authenticated (step 712), typically with a user name and a password 
or key. The system then determines what action is desired by the user (step 714). When an action is chosen, the rights- 
enforcement step of the invention (step 71 6) verifies the conditions associated with the desired action (such as the 
fee, time, level of access, watennark, or other conditions); this can be performed locally via the SPD applet 51 2 (Figure 
5) or by accessing a rights enforcement server. 

10 [0092] If the rights enforcement step (step 71 6) fails, an update procedure (step 71 8) is undertaken. The user may 
choose to update his permissions, for example by authorizing additional fees. After the satisfactory verification of con- 
ditions, a pre-audrt procedure (step 718) is performed, in which the SPD system logs verification status to a tracking 
servtee (e.g.. the audit server 130 of Figure 1). The content is then securely rendered to the screen (step 722) as 
discussed above. When the user is finished, a post-audit procedure (step 724) is pertomned in whteh the amount of 

15 usage is updated with the tracking service. The SPD system then awaits further action. 

[0093] The protection yielded by the SPD is derived from the user's inability to capture a useful fomn of the document 
at any intermediate stage during the rendering process. This is accomplished by decrypting the document contents to 
a clear fonn at the latest possible stage, ideally in the last step. 

[0094] The SPD decryption model is illustrated in Figure 8. E denotes the encryption function performed by the 
20 publisher D denotes the decryption performed at the user's system, and R denotes the rendering transformation. Many 
prior systems use a first sequence of transformations 810, D(E(x)) followed by R(D(E(x))). As stated previously, the 
eariy decryption leaves the document in a vulnerable state. Ideally, the transfomnations are perfomr^ed in the reverse 
order 812, R'(E(x)) followed by D(R'(E(x))). This postpones decryption to the latest possible time. 
[0095] The existence of R', a rendering operation that can be performed before decryption, is determined by the 
25 following equality: 

D(R'(E(x)))=R(D(E(x))) 

30 In case that the encryption and decryption functions are commutative, that is. E{D(x)) = D(E(x)) for any x, the existence 
of R' is ensured: 

R' (y) = E(R(D(y))) fory=E(x) 

35 

In practice, encryption and decryption functions in popular public-key cryptographic systems such as the RSA systenri 
and EIGamal discrete logarithm system satisfy the commutation requirement. This means that the transfomnation R' 
exists if these cryptographic systems are used for encryption and decryption. 

[0096] The path x' = D(R'(E(x))) portrays an ideal SPD solution to the document protection against unauthorized 
40 document usage and distribution. A scenario of distributing and using a document can be described as follows. When 
a user purchases the document, the document is encrypted using a user's public information and is transmitted over 
an insecure networic channel such as-the internet. The encrypted document has the rights information attached to it 
and a protecting applet 512 that enforces the rights and pennisslons granted to the user by the content owner. Upon 
a users request on using the document, the applet verifies the rights and permissions and generates from the encrypted 
45 document the presentation format of the original document. As any intemiedlate fomn of the document before the final 
presenlation data is encrypled with the user's private informalion. the SPD model of documem protection ensures that 
any intermediate lorm of the documenl is not useful to other f.ysiem? wherever ll if intercepted. 
lOU&7j Clearly, thij icle^i rn(.-of i aviiec on whelhi-.r i.*: ik-: ii... hfU'.: Icnr.r.iKM. I-.' tn.M corresponds 10 the rendering 
transformation Fi can be computed efficiently, and in particular on whether or not an invocation of the decryption function 
so D is necessary during an implementation of R*. A trivial case in which R' can be implemented efficiently is where R is 
commutative with the encryption function E. When this happens, 



55 



R'(y) = E(R(D(y))) = R(E(D(y))) = R(y) 

for y = E(x). In this case, R' = R. 
[0098] Consideration of Figure 8 reveals that many intermediate solutions (e.g.. intermediate solutions 814, 816, 
and 818) to the document protection problem may exist on the user's system between the two extremes x' = R(D(E 
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(X))). which has no protection on x = D(E(x)), and x* = D(R'(E(x))), which has ideal protection (under the assumptions 
set forth above). As depicted in Figure 8, one may consider different paths from the encrypted document E(x) to the 
presentation data x' that correspond to different combinations of partial rendering transformations and partial decryption 
transformations. Again, it should be recognized that delaying the decryption D in any path increases the protection 
5 level to the document. 

[0099] As discussed above, one alternative method of delaying decryption to the last possible moment employs a 
polarization technique that encrypts only the document contents, not the fomnat or the entire document as a whole. 
This possibility is shown in Figure 9. Beginning with the clear document content 910 (which, it should be noted, does 
not exist in any single identifiable location during the user's processing, but is rather a transient state occurring within 

10 step 41 2 of Figure 4), the document is split (step 91 2) into a data portion 91 4 and a fomiat portion 91 6. The data portion 
914 is polarized (step 918) using the polarization key 920 and merged (step 922) with the clear fomnat portion 916. 
This results in polarized content 924 that can be rendered to polarized presentation data without first decrypting the 
content. It should be observed that this form of polarization is likely less secure than wholesale encryption with the 
polarization key, since a lot of infomiation can potentially be derived from the layout of a document, word lengths, line 

15 lengths, etc.; however, this scheme will present a useful deterrent to casual copyright infringement. 

[OIOOJ A method of protecting a digital wortc during replay which employs a blind transfomiation function is shown 
with reference to Figure 10. In Figure 10, an encrypted digital wori< 1 01 0 is provided to replay application 1012. Digital 
wort< 1010 has been encrypted with a fomnat preserving encryption scheme which enables replay application 1012 to 
generate encrypted presentation data 1016. Encrypted presentation data 1016 is then sent to decryption engine 1018 

20 where it is decrypted into clear presentation data 1 020. Presentation data is now in the clear, but less likely to be 
regenerated into the original digital fomn. If presentation data 1020 can be viewed or used directly by the user, then no 
further processing is required. However, sometimes an additional rendering is required by a display system such as a 
printer. In such a case, presentation data 1 020 is provided to the display system's rendering application (in the case 
of a printer this could be a decomposer) 1022 which generated image data 1024. Image data 1024 is then provided 

25 to display device 1 026. 

[0101] In a general context, the problem of blind transfonnation can be stated as follows. Suppose a client Cathy 
wants a sen/er Steve to compute for her a function value F(a,x) with his (public or private) data a and her private data 
x, and Cathy wishes, for privacy concerns, that the transformation is done without Steve knowing her private data x 
and the function value F(a,x). From Steve's point of view, this means that he computes F(a.x) for Cathy but with his 

30 eyes blindfolded. What this means is that Cathy would like the server Steve to perfomn the transformation only with 
data Ek(x) encrypted using Cathy's key k, and return to her the function value Ek(F(a,x)) again encrypted using her key 
k. If Steve can perfomn the transformation using encrypted data, then Cathy has avoided disclosing the data x in the 
clear and the result F(a,x) in the clear. The Ideal model of blind transfonnation with partially encrypted data is shown 
below; 

35 

&-Kfl,£(x)) 
Fi iF' 
F(a.x)^-^r(a,E(x)) 

The function F that makes the diagram commute is what Steve really computes, and the transfonmation result P(a,EK 
(X)) = E,({F(a,x)) is ready for decryption to reveal the desired function value F(a,x). As Steve does not "see" the clear 
45 data X as well as the function value F(a, x), he carries out a "blind" transfomnatlon for Cathy. 

[0102] A protocol for blind transfonnation can be described as follows for the blind evaluation of the function F(a,x): 

(i) Calhy encrypts x using her enciyption key k, resulting E^-(>^). 
di'. C..':1(»^ frnrlf L,.(>') ir Mi~vf 
ii- (til) Sieve evaluates the modilieo versioi. I-' o1 the 1 unction I- ai the cleat OBia a anci encryplea oala bj^x). 

(iv) Steve returns the result F'(a,E,j(x)) back to Cathy. 

(v) Cathy decrypts P(a,E,((x)) using her decryption key k-*" and obtains F(a,x). 

[0103] The ideal model of blind transfomnatlon introduced herecan be regarded as a generalization of blind signatures 
55 and instance hiding. Blind transfonmation now allows partially encrypted data as input and, more importantly, ft pemnlts 
the function F* that the server computes to be possibly different from the intended function F By computing P instead 
of F, the sen/er, though still blindfolded, is aware of the input being partially encrypted and hence is cooperative with 
the client. The blind transfonnation and secure mobile computing share a common goal in keeping the function value 
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that the server computes private to the client, but they differ in that the client supplies the data input and the server 
supplies (a program that evaluates) the function In blind transfonnation. while it is the other way around in secure 
mobile compu«ng. Note that blind transfonr^ation allows some portion of the data (e.g.. a) to be in clear. This enables 
use of some dynamic yet clear data in the rendering process, such as display window sjze, reference positions for 

5 shifting content, scaling factor and coefficients in a rotation operation. 

[0104] Blind transformation works only if there exist functions F and P to compute the encrypted data, it can be 
shown that multivariate, integer coefficient affine functions using additive encryption schemes pennit many document 
rendering functions of the affine type on the x- and y-coordinates to be evaluated in blind transformation. For a given 
encryption scheme S. a function F: X -> X is said to be S-blindly computable if there exists some function F : X ^ X 

10 such that the computational complexity for evaluating F is a polynomial of the one for evaluating F, and 

F{a.x)-D*'*''(F(a.EK(x))) 

IS for any k E K and x G X. A function F: X -> X Is said to be blindty computable if there exists an encryption scheme S 
with X being a subset of Its message space such that F Is S-blindly computable. 

[01 05] Any multivariate, integer-coefficient affine function Is S-blindly computable for any additive encryption scheme. 
Specifically, let 



k 

FxOal...aik(Xl,. .. ,Xk) = Xo+ X^'^' 



25 a multivariate affine function with a constant Xq G X, integer coefficients aj and variables Xi, ... x^ in X. Then, for 
any key k G K, there exists a computationally efficient function 



30 



such that 



35 t 



40 Indeed, the constant yo and integer coefficients b, in F^^^, can be taken to be yo = Ek(xo), b, = a,, 1= 1 . .... k. The 

blind transformation of multivariate, integer coefficient affine functions using additive encryption schemes allows many 
document rendering functions of the affine type on the x-and y-coordinates to be evaluated In the blind manner, pro- 
viding a theoretical foundation for the fomiat-preserving encryption and trusted rendering of documents described 
herein 

43 [0106] A document is usually a message that conforms to a certain format. For document encryption, in addition to 
simply encrypting the entire documenl, there are many different ways lo encrypt only some parts ot the document . The 
poal here is that the intormalion leakape about Ihe unencrypled poition cannoi be used, or 11 it does leak, .1 is compu- 
latK.'iK'iliv' riiliiculi ic. recon; uur i ll.c- cictC:, crioirifii oo;-;i!t'nc-r.. 

[0107] ' 11 an encryption scheme which preserves formatting inlomnalion o1 the digital work, then any translormation 
50 function (replay application or rendering application) may be used. An example of a format preserving encryption meth- 
od is described for convenience with reference to token-based documents. The method f or format-preserving encryp- 
tion can be easily extended or applied lo documents In other fomiats (such as HTMUXfy^L, Microsoft WORD, Acrobat 
PDF etc ). In a token-based format such as the Xerox DigiPaper, each page image of a document is represented as 
a -dictionary of token images (such as characters and graphics elements) and location infomiation (indicating where 
55 those token images appear In the page). Thus, multiple occurrences of the same token in the document can be rep- 
resented using just a single image of that token in the dictionary. 

[01 081 The process of rendering a document in such a format is then accomplished by consecutively reading in token 
locations, retrieving images of the tokens from the dictionary and drawing the images at the specified locations. The 
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benefits of token-based documents are connpacft file size and fast rendering speed for use in distributing, viewing and 
printing of electronic documents. In the DIgi Paper fonmat, tol<ens are stored as binary images using the CCITT Group 
4 compression fomnat, or as color images using JPEG compression, and the position infonnation of the tokens is further 
compressed using Huffman coding. 

5 [01 09] For convenience, a token -based document D of P pages Is formally modeled as a table (dictionary) of tokens 
T of size !TI, together with a s.equence_of R tables of locations of size IL^I (1 ^ i S P), representing the P page images. 
Each entiy T[j], 1 ^ j ^ 171, is a pair (idQJ.tOl) of an identifier idfl] and an image tOJ of the j-th token. Each entry \4k], 1 i 
k s ILjl, in the l-th image location table is a triple (id[k],x[k],y[k]) representing the k-th token occurrence in the i-th 
page image, where id[k] is the token identifier, and x[k], y[k] are its x- and y-coordinate differences from the previous 

10 {k -1 )-th token occurrence In the page. For example, take the simple document shown in Rgure 1 1 . The token dictionary 
and location table (using x, y coordinates) for this document are shown in Figures 12 and 13 respectively. 
[0110] The schematic pseudo-code Render(D) below shows how page images of a document D are rendered. In 
the code, Xq, yo are the base references for the x- and y-coordinates for each page, Lookup(T,id[k]) is a subroutine 
that, upon the input of the dictionary T and a token identifier id[k], retums a token image t in T corresponding to the 

15 given identifier, and Draw{x,y,t) is a subroutine that draws the token image t at the location (x,y). 

Render(D) 

20 { 

Load T into memory 
fori=ltoPdo 

{ . 

Load Li into memory 

y=yo 

forks I to DJ do 
{ 

R =s X + x[k] 
y = y + y[k] 

40 t = Loolcup(T4d[k]) 

I>raw(x,y.t) 
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50 [01 n] in addition to the shilling iranslonmation x' = x + a, y' = y + b as used in the schematic rendering process 
described above, there are several other coordinate transfonnations that may occur during the document rendering. 
[0112] Scaling . The scaling transfonrnation Is of the fonm x* = ax, y' = by, where a and b are scaling factors for the x- 
coordinate and y-coordinate, respectively. Scaling may be caused by resizing the display window or print paper 
[0113] Rotation. The rotation transfomnation is 
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mm 



for some constants a. b. c, d. which form a 2-by-2 rotation matrix. This transfomnation is needed when the page image 

roi 1 4r ^Affine Transformation, An affine transformation is one of the fomri x = ax + by + e; y = cx + dy + f for some 
constants a, b, c, d, e, f. In the /ector fomi, it is: 



mm- 



Clearty shifting scaling and rotation transformations are special cases ol affine transfonnatlons. It Is those affine type 
transfo'miatlons that make It possible to achieve a high-levei tmsted rendering under encryption of coordinate Infor- 
mation using additive encryption schemes described below. 
20 [0115] A special class of encryption schemes, namely, additive encryption schemes, are used to carry out blind 
transformation of functions of the affine type, which provides a foundation for trusted rendering of documents. Blind 
transfomiation by a rendering transformation R and R' of an encrypted document satisfies the relationship: D{R'(E(x))) 
- R(D(E(x))). where E is an encryption function and D Is a decryption function for E. If E(x) is an additive encryption 

scheme, then>5' = R- v u- u ■ 

25 [01161 An encryption scheme S generally consists of basically five components: (i) a message space X which is a 
collection of possible messages, (11) a ciphertext space Y which is a collection of possible encrypted messages, (iii a 
key space K which is a set of possible keys, (iv) a computationally efficient encryption function E : K x V and (v) 
a computationally efficient decryption function D: Kx X .for each key k S K. there is a unique key \c\GK. such 
that the encryption function E, = E{k.) : X y and decryption function D,-i = D{lc\) :Y-^X satisfy that, for every 

30 message x G X, D^-^ (5^ = ^- The key k is called an encryption key and k-i its corresponding decryption key. 
[0117] Such defined encryption schemes can be varied in several ways to cover a wide range of concrete encryption 
schemes used in practice. One variation is to consider whether or not keys used for encryption and decryption are 
different In the case where all encryption keys k are same as their corresponding decryption keys ic^. the scheme is 
a symmetric (or private-key) one; othenvise, the scheme is asymmetric. In the case where, for all possible k, k- is 

35 different from k and computationally difficult to derive from k. the scheme is a public-key encryption scheme. 

[0118] Another variation is to differentiate detenninistic and probabilistic encryption schemes.- In a detemnintstic 
scheme all the encryption and decryption functions E^ and D,.i are detemiinistic functions, while in a probabilistic 
scheme the encryption function can be non-detenministic, namely, applying the function to a message twice may 
result in two different encrypted messages. . u ^ v 

40 [0119] An additive encryption scheme is an encryption scheme whose message space X and ciphertext space y 
possess some additive structures and encryption function E, = £(/c.) :X^Y\s homomorphic with respect to the additive 
structures Specifically, let X = (X. +, 0) and Y = (Y.e.O) be two commutative semigroups with (possibly different) zero 
elements 0 satisfying, for example, for all x. x + 0 = x and 0 + x = x. and efficient operations + and ©. An encryption 
scheme is said to be additive If. for any k e K and any x. x' G X. E^{x + x') = E,{x) © Ek{x*). and the operation © does 

45 not reveal the clear messages x and x\ The last condition on © makes additive encryption schemes non-lrivlal. Without 
this condition, the operation © on Y can be trivially defined y © y' = E„(D,.i(y) + D,.,(y*)); that is, it is accomplished by 
first decrypiino Ihe araumentf . then addinp ihem toaethet and (inaliy rp-encryplino the result. 
luikOj GlosGlv reiaic-c= J^ocinvt- c-ncyption s.cherr.t-.! fv.iiliir lu;,'Mr.>. .mm-.: . c^nciypiion scheme is said lo bf- 
multiplicative if its spaces X and Y have the ring structures (i.e.. in addition lo their additive structures, they have 

50 respective multiplications x and 0 that are distributive over their additions + and ©. and multiplicative identities), the 
encryption function Ek is homomorphic with respect to the multiplications, Ek(x x x') = Ek(x) ® Ek(x'); and the operation 
® does not reveal the clear messages x and x'. 

[0121] In general, additive (as well as multiplicative) encryption schemes are not non-malleable, since a non-malle- 
able scheme requires that, given an encrypted message it is (at least computationally) impossible to generate a different 
55 encrypted message so that the respective clear messages are related. Accordingly, they have a weakness against 
active attacks where the adversary attempts to delete, add or alter in some other way the encrypted messages. How- 
ever when these schemes are used to encrypt documents, extra measures In data integrity and message authentication 
can be taken to reduce risks caused by these active attacks on document integrity as well as confidentiality. Moreover. 
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end users are less motivated to initiate active attacks, as the attacks will affect document contents that the users are 
going to use and consume. 

[0122] Not all encryption schemes can be defined as additive ones in an easy and natural manner, in fact, some 
encryption schemes are designed with a requirement of being non-addltlve or at least being able to convert into non- 
5 additive. Nevertheless, there are many examples of additive encryption schemes that can be used In the method of 
format-preserving encryptton and trusted document rendering. Mult, Exp and EG {three detemninistic schemes), OU 
(probabilistic) and RSA are examples of additive encryption schemes (with varying degrees of vulnerability to attack) 
may be used in the fomnat preserving method. 

[0123] Multiplicative Cipher (Mult) is a symmetric encryption scheme, where X = Y = Z,, = {0, 1 , ... n-1} for some 
10 integer n > 0. The encryption of a message x using a key a is 

y = Bg^{x) = ax(mod n) 

IS and the decryption of a message y using a key a is 

X = Da(y) = a V(mod n), 

20 where a''* is the multiplicative inverse of a modulo n. 

[0124] Exponential Cipher (Exp) is a symmetric cipher, where X = Zp.^ and the ciphertext space Y = Zp for some 
prime p, and K is the set of all generators of the multiplicative group Z*p. For any generator g e K, the encryption 
function is defined as the exponential function 

^ Eg(x)=g'(modp). 
while the decryption function is defined as the logarithm function 

30 

Dg(y)-loggy (mod (p-1)). 

[0125] Semi-probabilistic EIGamal Cipher (EG) extends the exponential cipher to the EIGamal cipher, which leads 
the EIGamal cipher to run in a semi-probabilistic mode. For each message x G Zp, where Zp = {1 , ... p-1} for some 
35 prime p, g is a generator in the multiplicative group Z*p, the private decryption key for a user is a random number a £ 
Z*p.,, the public encryption key a = g«(mod p) G Zp, the encryption EJx, r) depends on a uniformly chosen random 
number r G Z^p.^; 

40 E„ (x,r) = (g' (mod p), xa' (mod p)) = (s,t). 

For an encrypted message (s, t), the decryption function is defined as 

^5 D^(s.t) = t(sV (modp). 

[0126] The EIGamal cipher in its original form as described above is hardly additive. However, the operator @ can 
be partially defined on the ciphertext ot those x's that share a same random number r as follows: 

E„(x, r) e E„ (X', r) = (s, t) © (s. t') = (s, t + V) = E„ (x + x'(mod p), r). 

[0127] This partially defined operation Is applicable when a batch of messages are encrypted using a same random 
number r. 

55 [0128] Okamoto-Uchiyama, Cipher (OU). Okamoto and Uchiyama proposed an additive, public-key encryption 
scheme in T. Okamoto and S. Uchiyama. "A New Public-Key Cryptosystem as Secure as Factoring". Eurocrypt'98, 
Lecture Notes in Computer Science 1403, 308-318, 1998, which is probabilistic and provably as secure as the intrac- 
tability of factoring n = p^q against passive adversaries. Choose two targe primes p, q of k bits for some k > 0,and let 
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n - p2q Choose g G Z*„ at random such that the order of = ^mod p!) is p. Let h = g" (mod r,)^TThe message 
sp;cVxoftheOUscheme is thesetZV(notthesBt{1....2'<-i}as claimed^ 

soa^ Y Is 1 For a user, a public key Is a tuple (n, g. h, k) and its correspor,ding private key » the pair (p, q) of the 
prints TO encrvJt a message x £ X. a random number r G Z„ is chosen unifom^ly, Then.the encrypted message .s 

To decrypt the encrypted message y, a "logarithmic" function L:r ^ r, 

L(x) = (X - l)p'' (modp^) 



Is used, where ris the p-Sylow subgroup of 2%^. I.e., r = (x G Z-p^l x - 1(mod p)). With the function L. the decryption 
15 function Is 

X = Dp ,,(y) = L(yP"^ (mod p^))L(gp)"^ (mod p^). 

20 [0129] New additive encryption schemes can be constructed from existing ones via the composition constajctlon of 
encryption schemes. The composition construction can also be used to construct additrve ^^^-YP """f ^^7^' ^"^ 
non adSive ones. For instance, the composition of the exponential cipher Exp and any multiphcative encryption 

scheme S (such as RSA) results in an additive one. 

roi3oT A cLe encrypiion schemes enable blind transfomiation with partially encrypted data, whrch serves a foun- 
ds dation for tnisted rendering of d^uments. asdiscussed above. In particular, additive encryption schemes can be used 
to perfomi blind transformation of affine functions with clear coefficients and encrypted vanables. 
0131] Retumingtotheexampleofatoken-baseddocument.slnceatoken-baseddocumentDcons,stsoad,^^^^^^^ 
T of oken images and a sequence of location tables L, (one for each page image), the idea « to encrypt me coment 
of?hedictiona,?Tand location tables^resultinglnadictionaryTof encrypted token m^^^^^ 
30 locations Recall that the dictionary T consists of a collection of pairs (id[D. tQD. 1 = 1 . m. Associated with T is a 
SrneLS iJtierendering'^roces^ 

Un T m encrypting the dblionary T, there are three basic chofces: encrypting token identifiers, token images, or both. 
Enc^XgS^identiflersortokenl^^^^^ 

In addWon encrypting token images protects proprietary token images, in any case, it is desirable to allow valid access 
3. heSoniT^^^^^^ the?endering process P, while making It --P^'^^^tL^Ti'di^^" H^^^^^^ 
entire clear contents of the dictionary. This Is possible because in many cases the valid identifiers (e.g., Hutin^an 
LTwoXronraverysmallsubsetofa^^ 

40 the dictionary is that the encrypted dictionary T and the corresponding subroutine Lookup' satisfy the following con- 

straints: 

(1) For any encrypted identifier E^Od), Lookup'(T,E„(id)) = Ek{Lookup(T,id)) and 

(2) Given r and Lookup', it is computationally Ihfeasible to reconstruct T 

10133] For an encrypiion scheme S. T and Lookup' can be conslrucled as (olIow.Me! iD be the set ol al) syniaciically 
o?s2.e idenutiers: 1^ panicutar. ID'c ID. wh.e ID' = ,6 I (id.t) e T). lei h he a one-way hash lunchon whose doma.n 

inserted into T. The modilied subroutine Lookup' uses the algorithm: 
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Lookup'CTjd) 

( 

id'sh(id) 
t' = Lookupfr^dO 
return (0 

) 

Notice that the return value of Lookup* is an encrypted token image. The decryption of this image will be postponed to 
IS into the final subroutine Draw* in the rendering process, which is part of the trusted rendering described below. 

[01 34] This dictionary encryption is computationaily feasible, both in terms of storage-space overhead and in temis 
of running-time overhead, to compute with encrypted versions of token dictionaries. If the hashing and encryption 
algorithms used in the Lookup' subroutine are secure enough, then It is computationaliy very difficult to recover T given 
T and Lookup'. 

20 [01 35] Since each entry in a location table L| consists of an identifier, and location difference in x- and y-coordi nates, 
any combination of the three elements can be encrypted. To encrypt the location Infomiation, an additive encryption 
scheme is recommended to enable applying any rendering transformation of the affine type to the location coordinates. 
For identifiers, a trade-off between document compression and document protection must be made. In a token-based 
document, a token identifier is usually a codeword of some coding scheme for the compression purpose. For example, 

25 when the Huffman code is oeed to compress the document, the identifiers are the binary Huffman codewords of the 
tokens based on their occurrence frequency in the document. In this case, simply using a deteministic encryption 
scheme to encrypt these identifiers offers no effective protection on them. This is because the scheme does not change 
the occun-ence frequency of each token, and hence anyone can re-count the number of occurrences of the encrypted 
identifiers to re-constmct the Huffman codewords that are the identifiers. Therefore, in order to hide occun-ence fre- 

30 quencies of the tokens in the document, it is preferred to use a probabilistic encryption scheme to encrypt the identifiers. 
However, this will interfere with the optimal encoding carried in the identifiers (codewords) and reduce the document 
compression ratio. This may be undesirable for token-based documents, as achieving a good document compression 
is one of the design goals for token-based documents. 

[01 36] A reasonable compromise for encrypting L, is suggested. Choose an additive encryption scheme S, preferably 
35 a probabilistic and asymmetric one like the Okamoto-Uchiyama cipher OU If encryption and decryption efficiency is 
not a big problem. For each entry (id,x,y) in L|, insert (id,Ek{x),En(y)) into L'j. If it is also necessary to encrypt the 
identifiers, entries like (Ek{id),Ek(x),Ek{y)) may be inserted into the location table L'j. But in this case, the entries in the 
encrypted dictionary T need to be changed to (E(t(id),EK(t))'s, and the subroutine Lookup' above also needs to be 
modified to reflect the change. 

40 [01 37] With the format-preserving encryption of a token-based document mentioned above, the document content 
can also be protected during the rendering process. The idea is to delay decryption into Draw'(x,y,t). The rendering 
process is given shown below. 
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Render(D) 
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fori.= 1 toPdo 

{ 

Load Lj into memoiy 
x = Ek(xo) 
y = Efc(yo) 
fork=ltoILldo 

{ 

J5 . X = X ® x[k] 

y = yey[k] 



10 
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25 



t=Lookup'(r4d[k]) 

Draw'{x,y,t) 

) 



} 

I>raw'(x,y,t) 

30 J 

x = Dk.i(x) 
y = Dk-i(y) 
t = Dk.i(t) 
Draw(x,y,t) 

During the process, all the coordinate and token image information remains encrypted before calling the subroutine 
DraW(x y t) This is possible for the coordinate infonnatlon because the encryption scheme is additive. Consequently, 
the content protection level and rendering process performance of the rendering process rely on the secunty strength 
45 and computational complexity of the scheme used. 

[0138] in another embodimenl o1 Ihe invention, a dicjiiai work is polarized enablincj irusted rendering or replay of the 
dioilal work wilhoul depolarl^alion ol the diciilal conieni or nresentalion dau;=. In ihiF embodinnenl, Ihe digital work 
iMhetypewi-.ichindua.. u.riK. ..-niem .nci re.o.a> Ir.iu.n.^iu .mm ..I... ..^r.^.nCorM.xt}. hesource iniom 
includes formatting information or other information used by a replay or rendering application to convert the digital work 

50 into presentation data, c^.„r4\„\ta\ 
[01391 Polarization is a type of transformation which renders the original content unreadable or unusable. For a digital 
wort^ w a polarization scheme T. which uses a seed s, generates a polarized digital woric W according to: w' = ^ s). 
The same transformation T may also be used to generate the polarized resource information S' according to S* = T(S, 
s) In this example a seed s is used to make reverse engineering of the polarization scheme more difficult. 

55 [01401 For example, a document type digital work may be polarized using a simple polarization scheme. In a docu- 
ment the digital content comprises a series of characters in a particular order or location. If the document is to be 
displayed on a viewing device, each character must be able to be displayed at a particular location for viewing by a 
user on the viewing device, such as on a monitor. A coordinate system is required for displaying each character on 
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the monitor, so each character in the document can be displayed on the monitor. The digital content contains coordinate 
Infonnation which is referenced by the monitor's coordinate system. For example, in this paragraph, the letter "P 
appears at the top line, indented by five spaces. 

[0141] A simple polarization scheme for jumbling the text of the above paragraph is to translate the location of the 
5 letters with respect to the coordinate system. Each letter in the paragraph has an (x,y) location. Suppose the location 
(x.y) of each letter in the above paragraph are polarized using a seed (a,b) from a user's system. The following polar- 
ization functions may be used to polarize the above paragraph: 

Y = bv, for the vertical axis; and 
10 X = x/a, for the horizontal axis. 

[0142] In this example, the user's device coordinate system must be polarized in order for the replay application to 
transform the digital content Into presentation data, i.e., display the paragraph on the monitor descrambled. The user's 
device coordinate system must be polarized using the same seed (a, b) to generate a polarized coordinate system. 
'5 The following transtomaation functions are used to compute both x and y locations of a given point: 

Y= logb(Y), for the vertical axis; and 
X= aX, for the horizontal jaxls, 

20 where Ioqi, is the logarithm with base b. 

[0143] When the replay application obtains the location of a character in the polarized digital wori<, the location is 
given by (X,Y) = (x/a, bv). This value Is then applied to the device coordinate system (X.V) = (logb(Y), aX) =(x,y). Thus 
the correct location jof "P is displayed on the user's monitor. In both cases of polarization, the polarized forms of the 
resource infonmation and the digital work maintain an inherent association. These complementary polarized fomris of 

25 the resource information and the digital woij result In the basis for a effective mechanism to protect the digital woric. 
While the replay application is able to display the polarized digital work, It Is only with the polarized system context that 
the replay application is able to provide clear presentation data. 

[0144] While polarization, in general, is not as rigorous a protection as encryption, depending on the sensitivity of 
the digital work to be protected, different levels of polarization can be used. A sensitive work may require a high level 

30 of polarization; a lower valued wori< may require a weaker type of polarization. If the user's environment is trusted, a 
lower level of polarization may be used. An advantage to using a lower level of polarization is that it requires fewer 
system resources to create the polarized digital work and to render or replay the polarized digital work. The type and 
quality of the polarization seed may also be used in combination with the polarization scheme to detemnine the level 
and strength of the polarization. For example, a more complex polarization seed (such as one containing authorization 

35 infonnation from a trusted source or a dynamic seed) will provide a higher level of polarization and strength. 

[0145] Polarization typically occurs at the distribution or manufacturing location. Digital works are polarized usually 
prior to distribution to the user or customer using a polarization scheme chosen by the manufacturer or distributor 
Resource information to be polarized may also be preselected in advance to delivery. Preferably a seed is used for 
each polarization scheme. Also preferably, the seed is generated using infonnation provided by the user's system 

40 context. 

[01 46] When a user purchases a digital wortc, the user preferably provides infonnation from the user system in which 
the user intends to replay the digital wori<. This information may be used to generate the polarization seed for both the 
polarized digital work and the polarized resource Information (sometimes called the polarized system context). Then 
the polarized digital wort< and polarized system context or polarized resource infonnation are provided to the user. 
4s Also, typically, but not needed for operation of this embodiment of the invention, the polarized digital work and polarized 
system context may be encrypted prior to distribution to the user. Decryption of both the polarized digital work and 
system conlexl may be required prior to replay of the polarized digital work inlo presenlalion data, depending on the 
enc(7plion scheme used. 

Iti^;* "t!,c p((*r.r-.' : if i f i <- f.lihf f. pm.';! i: f- r' riintlf-i wr i I i: f:i\'ic:f.'f iidi • 1t,r.-i : Uri : 'nir-M- rti:\ i hic- pencTicUioii o- 
Ihe polaiizaiion seed, polaiizaiion ol the digital work and, polarization ol the resource inlormaiion. Once the polarization 
seed is generated, the polarization engine is seeded with it. The polarization engine takes as input the digital work or 
the resource information, and generates the polarized form of the digital work or the resource Infonnation based upon 
the transformation function seeded with the polarization seed. During replay of the polarized digital work, the polarized 
resource information is utilized to generate the presentation data and/or image data. The same or different polarization 
55 transformation functions can be used for the digital work and the resource information. 

[0148] A process for creating a polarized digital work is shown with reference to Figure 14. A digital work 1410 
includes digital content and a set of resource information used for fonnatting and rendering the digital content into a 
fonn usable or viewable by a user. The digital woric 141 0 goes through a process of content polarization 1 420 in which 
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the digital content is polarized and the resource information is preserved, creating polarized digital work 1422. The 
content polarization 1420 may occur as shown with reference to Figure 9. A digital work typically Includes content, 
instructions and formatting. While polarization can occur to the entire digital work, preferably only the content is polar- 
ized- the instructions and formatting are not polarized. However, in some instances, for some replay applications, some 
5 of the resource infomiation contained within the digital work may also be polarized. This is similar for the format pre- 
serving encryption method described above. 

[0149] Resource extraction 1412 extracts at least one resource infonmatlon from the set of resource infonTiation 
associated with digital work 1410. Extraction consists of copying the resource infomiation into a system resource file 
1414. System resource 1414 is then polarized at resource polarization 1416 to become polarized system resource 
10 1424 The polarization scheme for content polarization and resource polarization need not be the same. Preferably, 
each polarization scheme employs a polarization seed 1418 which is generated by seed generator 1426. Several 
exemplary methods for seed generation are described below. In particular, in a preferred embodiment, the polarization 
seed is based on unique information from the user's system. 

[01 50] Several techniques for generation of the polarization seed may be used. For example, a seed generator which 
15 generates a number from a random number generator may be used. This method, referred to as stateless polanzatio.n. 

does not depend on any secret key infonmation and user system infomnation. The process for stateless polarization 

yields a specific value for the system for polarization. The Inherent vulnerability tor digital security systems may be 
. found m mishandling secret information, mathematical complexity, and algorithmic complexity. Eliminating the secret 

infomiation seals off one target of attack. With stateless polarization, a random number generator produces the polar- 
20 ization seed. In this case, once the polarization process is complete the seed is discarded without a trace. Hence, the 

security of the system is free from attack focused on compromising the secret tnfomnation, and the user need not 

divulge sensitive infomoation that may be deemed a privacy violation; 

[01 51 1 Another seed generator that may be used is a state-based generator. The state-based seed generator con- 
structs a seed by first acquiring system state infomiation from the user's replay system or rendering device. System 
state information includes hardware identifiers, system setti^^s and other system state-related information. While there 
is much value in stateless polarUation, other security requirements may require use of an Inseparable link to a particular 
user system or device. By generating the polarization seed from systenrVdevice-specific information, the polarization 
engine will produce a digital work that is polarized to a fomn that con-esponds to a specific systeno/device. 
[0152] The polarization seed generator can also be tied to an authorization process. In authorization-based polan- 
30 zation, the seed generation can be tie in with the outcome of the authorization process. A separate authorization 
repository (which is a trusted source) provide authorization information as part of some other security feature associated 
mu delivering access to a digital work to a user. The trusted source of authorization information may be an online 
authorization repository as described in US Patent No. 5,629.980. This authorization information is then used to gen- 
erate a polarization seed. , . ^ ^ 
35 [0153] If a Stateless polarization seed is used, the digital work and Its resource information may be polarized and 
stored together for delivery to a user when a user purchases the associated rights of use for the particular digital work. 
If one of the other polarization seed generation methods is used, polarization typically must wait until the user provides 
the system state or authorization information before the digital work and resource infomiation may be polarized. 
[01 54] An embodiment which provides a higher level of protection in terms of ensuring that the digital work may be 
40 replayed onty on a specific physical system or device uses a dynamic state-based polarization seed. In this embodi- 
ment, a polarization engine and polarization seed generator must be provided to the replay application or rendenng 
device along with the digital work and resource information. In this embodiment, the digital work and resource infor- 
mation are polarized prior to'repiay and rendering using a seed which is generated based on the dynamic state of the 
particular system or device. The dynamic state may come, for example, from the system clock. CPU utilization, hard 
45 drive allocation, cursor coordinates, etc. By polarizing the work using a snapshot of a dynamic state: the work is locked 
10 a parlicular system contiguration (i.e., state) in time. Polarization o( ihe dioital work, and utiimaiely iis blind replay 
(described below), is based upon a dvnamically evolving siaie. The evoluiion ol the dynamic siale does not yield unique 
icrciei informsiioh \Ua olu-vv; ..vpcrMohitiiy ol thcj-'utaiutuiv... i-rcv-.-:: . ci,r u^:uci- cn namic-siale based polarizaiior. 
makes compromising the polarized digital work and system context more diflicull. Since the polarization process is 
50 carried out within a trusted system, it is implied that the process can not be deconstructed. 

[0155] The actual process of polarization can be. as described in the example above, an algorithmic-based trans- 
formation -parameterized by the polarization seed. During polarization, the data and resource identifiers of the digital 
work are transformed as described above. The stojcturo of the digital wori< is unaltered, however, such that the original 
format, such as PDF, DOC, WAV, or other format, is retained much like in the format preserving encryption. Similarty 
55 the polarization of the resource infomiation yields a polarized form of the resource information such that the resource 
identifiers, element Identifiers and resource characteristtes are transfonned. yet the structure of the system context 
remains unaltered. By polarizing the digital wortc and resource infomiation according to the same seed based on a 
user's specific device or system Information, an inseparable relationship is established such that the work cannot be 
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replayed to its clear form with any other device or user system. If circulated In an unauthorized manner, the protection 
remains in effect. 

[01 56] During blind replay, the unique characteristics of the polarized resource infomnation enable the replay appli- 
cation to properly replay the polarized digital work and generate unpolarized or clear presentation data. Because the 

5 digital work and the resource infonmation were transfomned in a complementary manner, the polarized elements of the 
digital work, such as the resource identifiers and data.-unknowlngly reference the complementary elements within the 
resources of the system context. Due to the matching transfomiation the proper elements within the context are iden- 
tified by the replay application such that the resultant presentation data appears in the clear. Hence, the wort^ is pro- 
tected until the last possible moment after replay. 

10 [0157] As discussed eariier, the conventional distribution of digital works via the web is relatively straightforward. 
The wori< is created using an editor, posted to a web site, accessed by the user audience and replayed in a viewer or 
on a display system. If a content owner does not desire to protect his/her digital wo ri< (or if the content owner trusts all 
users who will receive the wori<), the digital work is provided "in the clear" i.e., without any encoding, encryption or 
other protection for direct use by any user. 

IS [0158] If the digital work Is downloaded onto the user's system, It is typically stored In memory. If the digital wori< is 
provided via a storage media, such as floppy disk or CD-ROM or DVO-ROfWI, the digital wortc is usually accessed 
directly from storage media. 

[0159] In order to play the digital work, referring to Figure 15, the digital wori< 1510 is provided to a replay application 
1512. In the case of a document or other type of digital work which requires formatting infonmation or resource Infor- 

20 mation, the digital work will include digital content plus resource information setting forth the particular system context 
or system resources needed by the replay application to process the digital content. For example, the digital work 1510 
may be a text document in which the text is displayed using the Anal font. When replay application 1512 accesses 
resource information on digital work 1510 indicating Anal font is used, it accesses the appropriate system resources 
1 51 6 (which in this case is the Anal font table) and uses the system resource infomnatlon to convert the digital content 

25 into presentation data 1514. 

[0160] in some replay applications, converting the digital content into presentation data is sufficient for use by the 
user. In others, presentation data is only an intermediate form whteh must be further converted. For example, in the 
case of a display system 1524 which is a printer, the presentation data 1514 must be further rendered by rendering 
application 1518. Rendering application 1518 may be a decomposer within the printer Rendering application 1518 

30 uses other system resources 1 51 6 to transform the presentation data 1514 into image data 1 520. Image data 1520 is 
in a form which can be directly displayed on display device 1 522 (in the case of a printer, output as a printed document). 
[0161] In addition to the earlier described systems and methods for protecting a digital wori^ during replay, a digital 
work may be protected during replay by polarizing the digital work in accordance with a first polarization scheme which 
produces polarized content and preserves the digital woric's resource information. A portion of the digital work's resource 

35 infomnation is copied and polarized in accordance with a second polarization scheme. Referring to Figure 16, replay 
application 1612 uses the polarized resource information 1614 (and any other system resource infonmation 1616 that 
may be required) to transform the polarized digital work1610 into clear presentation data 1618. Presentation data is 
necessarily in the clear, which means It can be captured by other programs (such as a screen capture utility program). 
However, the output of such other programs is not in the same fomriat and frequently not of the same fidelity as the 

40 original digital work. 

[0162] The polarized resource infonmation can be thought of as acting like a polarizing fitter to bring the polarized 
digital content into a clear image (presentation data). This system is a blind replay system In that the replay application, 
which can be any commercial application, does not know or need to know the clear digital content. Blind replay operates 
for any transformation function R, such that R(w',s') = R(w,s), where w* is the polarized digital content, w is the clear 
digital content, s' Is the polarized resource infonmation and s Is the unpolarized resource Information. Blind replay of 
polarized digital works using polarized resource information Is different from blind transfonnatlon described above in 
that blind replay produces clear presentation data without having to depolarize it. In blind transformation, the replay 
application converts the encrypted digital work into encrypted presentation data, which must then be decrypted. In both 
C'c.ic.i, Iht uM-i (;oo:i ucA ( liif c?ic iu..i v-.'( n ij.ciuc..: torn.. 

50 [0163] Blind replay (also called blind rendering) using a polarized digital work and polarized resource information 
can be used alone to protect the digital work during replay as well as in addition to regular encryption. For example, 
the polarized digital work and polarized resource Information may be encrypted to protect it during distribution, then 
decrypted at the user's system into the polarized digital work and polarized resource infonrtation. The user must first 
obtain pemiisslon from the content owner or the distributor acting on behaff of the content owner (in order to decrypt 

55 the encrypted digital work). Ontee the user is qualified, the encrypted polarized digital work and the encrypted polarized 
resource infomnation are decrypted and the polarized digital wori< is replayed in the replay application using the polar- 
ized resource information. 

[0164] The complexity of rendering a digital woric Into a usable form for viewing by a user can be used to further 
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protect the digital work during replay. Referring to Figure 1 7. polarized digital work 1 71 0 is provided to replay application 
1712 which uses polarized system resources 1716 and other system resources 1718 to transform polanzed digital 
woric 'l 71 0 into partially polarized presentation data 1 714. In this embodiment, display system 1728 is needed to trans- 
form presentation data into a form usable by the user. Partially polarized presentation data 1.71 4 is provided to rendering 
application 1720 whch uses polarized system resources 1716, local system resources 1722 and system resources 
1 71 8 to transform the partially polarized presentation data 1 71 4 into dear image data 1 724. Clear image data 1 724 is 
then displayed on display device 1726 for use by the user. In this embodiment, presentation data is still polarized, 
taking the location of the dear data to a later point of the display process and providing further protection. 
[0165] To enhance usability of the system for polarization of digital worics, the polarized resource infomiation may 
be separated from the digital work and tied to a transportable device such as a smart card. In this embodiment, the 
replay application 1 71 2 plays back the woric using the polarized system resources 1716. Instead of having the polanzed 
system resources 1716 stored in a local memory, along with the polarized digital work. 1710, the polarized system 
resources 1716 is stored in a transportable device such as a smart card. Also, the smart card, possibly with hardware- 
enhanced features, may possess attributes that provide for tamper resistance. Within the transportable context, the 
polarized data is processed by the replay application 1712 to yield the partially polarized presentation data and then 
provided to the rendering application 1720, 

[0166] Many different types of digital works can be protected throughout use using the polarization method. For 
example If the digital work is a document or text file, the replay application may be a word processor, system resources 
or resource information may include font tables, page layout, and color tables. If the digital wori< Is audio or video data 
(e g streams), the replay applteation may be an audio or video player. The presentation data will be the audio/vtdeo 
final data stream. The display system may be an audio/video device. The rendering application may be the audio/video 
device driver. The image data may be the audio/video device data stream and the display device may be the audio/ 
video rendering device (speaker or monitor, for example). 

[0167] For a digital woric that is an audio/video data stream, the system resources or resource information may 
indude characteristics of the audio/video device: sample rate (samples pe>Becond - e.g., 8 kHz, 44.1kH2), sample 
quality (bits per sample - e.g.. 8, 16); sample type (number of channels - e.g., 1 for mono, 2 for stereo), and sample 
fomiat (instructions and data blocks). A table of some audioA^ideo data streams and their correspondmg resource 
infonnation or variable parameters which can be selected for polarization is set forth below: 

Table 1 : 



Digital Wori<: AN Data (Streams) 


Extension 


Origin 


Variable Parameters (#Fixed) 


Compression 


Player 


,mp3 


MPEG standard 


sample rate, quality. #type 


MPEG 


MP3 Player 


.ra 


Real Networics 


sample rate, quality. #type 


Plug-ins 


Real Player 


.wav 


Microsoft 


sample rate, quality. #type 


ADPCM 


Window Media 


.snd 


Apple 


sample rate, #quatity, #type 


MACE 


QuickTime 



55 



[0168] The structure of a digital woric can be used advantageously for polarization. While it is possible to polarize 
the entire digital wori<, it is more convenient to polarize only a portion of the digital wori<. Most digital works include 
three primary elements: instructions, data, and resources. Preferably, only the data and resources of the digital woric 
are polarized, much like the format preserving encryption method described above. By selectively transforming only 
the data and resources, a digital woric may be transformed such that the content remains in the original format, yet the 
data and resources are incomprehensible. 

[0169] The general layout of a digital work ot the document type is shown in Figure i&. In Figure 1 8. digital work 150 
include- r-t-.nc- OepcriplCT IC: . Ccnlrol Codf-:! if/-, ^t>b enr' 1 C: , Rorciirn^ loci.tili^ :'.!.•. i.u.r! O^^U- 160 ^.nr' ifV:. 1 hr- 
Page Uescripiors i52 delinti the general layout oi u work, l-or insianct. tr.e patjt tiit. page- fiurnbei. ana margins lah 
into the category of Page Descriptors with respect to digital documents. Control Codes 154, 158 and 162 are similar 
in that they describe the presentation of the content. Examples include commands to set text position, output text, set 
font type and set cun-ent screen coordinates. Resource Identifiers 1 56 simply reference the desired resources. In the 
digital document realm, resources could vary from font typeface to background color Finally. Data 1 60, 1 64 represent 
the core Information communicated by the digital woric. This could be the drawing coordinates used in a multimedia 
clip or the character codes for rendering as a digital document. 

[01 70] An example of a digital work (in this case a simple digital document) and one of its polanzed fomns are shown 
in Figures 1 9 and 20, an HTML document in clear and polarized form. The tags <html> and <body> are Page Descrip- 
tors The <font> <\font> lag is an example of a Control Code for setting font resource characteristics, while "AriaP 
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and "14" are Resource Identifiers for an Arial typeface, 14 point font. The "Hello World" text is the Data, or the core 
information of the work. The <p> is another Control Code to signal the beginning of the paragraph. Finally, the document 
is closed out with Page Descriptors <\body> and <\html> to identify the end of the document. 
[01 71 ) Figure 20 shows what the digital work of Figure 1 9 looks like in a polarized form. It can be seen that the Page 

5 Descriptor and Control Code tags remain unaltered; the <html>, <body> and <font> tags are unchanged. Whereas, 
the Resource ldentifiers,-''Arial" and ''14**, have been transformed to indecipherable values. Similariy, the Data, "Hello 
World", has also been transfonmed to an Indecipherable value. By transtomning the Resource Identifiers and the Data 
the content is rendered meaningless while in the polarized form. Yet, the fact that the Page Descriptors and Control 
Codes remain intact allows for the document to retain its original fomnat, which in general could be HTML, Adobe PDF, 

10 RealNetworks RAM, Apple QuickTime, etc. 

[0172] The system context (or system resources or resource infonnation) can be thought of as the collection of 
system resources available to a replay application on a particular system. For example, it may include the Font Table, 
Color Palette, System Coordinates and Volume Setting. When a digital work is input to a replay application, the replay 
application uses the particular resource information contained within the digital work to transform the digital content 

15 into presentation data. Each system context or resource infomnation contained within a digital work is or can be altered 
to be unique to a system for which It can be replayed. The system context is a required element for the use of the 
digital worit, tying use of the digital work to a specific system or physical device* or replay application for replay. The 
Resource Identifiers and Data within the digital work may either directly or indirectly reference elements contained 
within the system context. Polarizing the digital work and system context enable blind rendering into dear presentation 

20 data. By polarizing the system context with a polarization seed that is tied to a unique system, the resulting polarized 
system context can be a unique environment in which a complementary polarized digital work, which has been polarized 
with the same polarization seed, may be accessed and replayed. 

[0173] Figure 21 iUustrates a typical configuration of the system context The elements Include the resource Identifier 
(ResID), element identifier (EiemID), and resource characteristics (Characteristics). The ResID includes pertinent in- 
25 fonmation for other system components to reference the resources. The El^mlD is the identifier of an individual element 
within the resource. Finally, the Characteristics are the actual resource characteristics used to express the individual 
resource element. 

[0174] Figure 22 is an illustration of the resource for the font table pertaining to the Arial typeface. The key resource 
identifier in this case is the font name, "Arial**. Following the ASCII convention, the number 48 identifies the individual 
30 resource element identifier. The resource element characteristics for the ElemID represent the infonnation to express 
the letter 'a*. 

[0175] Figure 23 is an illustration of the polarized the system context for the font resource shown in Figure 22. The 
resource identifier itself is transformed to "k1 3k2". The element identifier itself need not be transfomied, as it is sufficient 
enough to transfomn the resource characteristics alone. In this case, "48" is depicted as transformed to express the 

35 characteristics for 'Y* instead of 'a'. 

[0176] Polarization and blind rendering may be used for many different types of digital works. In addition to docu- 
ments, polarization and blind rendering may be used for audio/video data. As noted above, audioA^ideo data is generally 
provided in the fomri of streams. A replay application is the audio/video player which transfonns the digital audioA/ideo 
stream into a final data stream which can be processed by a transducer (speaker) into an audio output or by a display 

40 into a video image. 

[01 77] Referring to Figure 1 7, replay application 1 71 2 corresponds to an audioA^ideo player which generally operates 
by sampling the audio/video input streams 1710 at some sample rate, quality and type accepted by a target audio/ 
video device. It uses the audio/video system resources to sample, mix and produce audioA^deo streams and then 
mixes the resampled audio/video streams to produce a final audloArtdeo stream in a fomiat expected by the target 
45 device. In the case of an audio/video player, the presentation data 1 71 4 Is the final mixed audloA^ldeo stream at some 
sample rate, quality, type and fomnat expected by a target audioA^ldeo device. 

[0178] The target audioA/tdeo device (e.g., rendering application 1720) is some hardware system that is able to 
convert the audio/video stream (presentation data 1714) at a specific sample rate, quality, type (channel) and format 
{f .c., PAl. oi NTSC}1r thf- ck vice ;:;uc!jo/video date. i7?^.. I- -rrnr tt^-: o1 cuclic t e\ ic.f-r include, sound cards, speakers ^ 

it- monitors and the digital lo anaiocj convener located within tiife oudio/viaeo aevice. Many devices are able to play audio/ 
video streams at a range of different sample rates. Image data 1724 (e.g. an audio signal or a video image stream) is 
generated by the audio/video device driver 1720 and "consumed" by the display device 1726. 
[0179] For example, to polarize an audio/video data stream. It may be spilt into two or more separate streams. One 
stream is polarized and one stream is unpolarized. Each stream may have different device characteristics (resource 

55 infonnation): sample rates, channels, qualities and/or fonnats associated with It. The device characteristics (one or 
more of the stream's sample rates, channels, qualities and/or fomaats) may also be polarized to generate the polarized 
resource infonnation. 

[01 80] Blind replay of the polarized audio/video stream is accomplished in a similar manner as for a polarized digital 
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document. The replay application (audio/video player) mixes togetherthe unpolarized stream and the polarized stream, 
and using the polarized resource information, produces a polarized final data stream for the target audio/video device 
with a correct set of resource information. The target device (1720) uses the polarized resource infomiation to play the 
polarized data stream generating clear soundMsual effects (1 724). , u u 

[01811 While certain exemplary embodiments of the invention have been described in detail above, it should be 
recognized that other forms. alternSivesrmodifications. versions and variations of the invention are equally operative 
and would be apparent to those skilled in the art. The disclosure is not intended to limit the invention to any particular 
embodiment and is intended to embrace all such fomis. alternatives, modifications, versions and variations. For ex- 
ample the portions of the invention described above that are described as software components could be implemented 
as hardware Moreover, while certain functional bloclcs are described herein as separate and independent from each 
other these functional blocks can be consolidated and perfomied on a single general-purpose computer, or further 
broken down into sub-functions as recognized in the art. Accordingly, the true scope of the invention is intended to 
cover all alternatives, modifications, and equivalents and should be detemnined with reference to the claims set forth 
below. 



Claims 
1 



A method of protecting a digital work, z, during transformation by a transformation (unction. F, into presentation 
20 data F(z), comprising: 

encrypting the digital work, z, in accordance with an encryption scheme, E; 

using a blind transformation function P to transfonn the encrypted digital work E(2) into encrypted presentation 
data, P(E(z)), wherein P is a function of F; and 
25 decrypting the encrypted presentation data. F(E(z)), in accordance with a decryplion function, D, to obtain 

the presentation data, F(z), wherein D(P(E(z)) = F(z). 

2. The method of claim 1 , wherein the encryption scheme E Is a format preserving encryption scheme. 

30 3. The method of claim 1 , wherein the encryption function E is an additive encryption scheme and wherein P = R 

4. The method of claim 3. wherein the additive encryption scheme is selected from the group consisting of Mutt. Exp, 
EG, OU. RSA and compositions thereof. 

35 5. The method of claim 1 . wherein F is a polynomial of R 

6. A system of protecting a digital work, z, during transformation by a transfomiation function. F, into presentation 
data F(z), comprising: 

40 an encryption engine for encrypting the digital work z in accordance with an encryption scheme, E; 

a blind transformation function P for transfonriing the encrypted digital woric E(z) Into encrypted presentation 
data. P(E(z)), wherein F is a function of F; and 

a decryption engine for decrypting the encrypted presentation data, F'(E(z)). in accordance with a decryption 
function, D, to obtain the presentation data, F(z), wherein D{F(E(z)) = F(z). 

45 

7. The system ot claim 6, wherein the encryption scheme E i£ a formal preserving encryption scheme. 

1,. Hifcj ystpm o( cIsiiT. i , wi.ereir. ihc- enciyplioi. liMV-;tl(.i. . u '^u f.oriiiiw- r- rK iypiicr. scheme and wherein F* = P. 

50 9. The system of claim B, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

10. The system of claim 6, wherein P Is a polynomial of F 

55 
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